cybergate | 4882e4b4931e7a03cbf855d325ac0e2727b0a3947f23ba62dce417f5476bfd54

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 16:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
Size

583KB
MD5

83f3ff9b1776581d0936cac5eda59d3b
SHA1

b2a4ab4332d7dbb3dc573e0e15f59a4df1860132
SHA256

4882e4b4931e7a03cbf855d325ac0e2727b0a3947f23ba62dce417f5476bfd54
SHA512

dbca4cc3e2cbe48ebaec2ebf4eb5a90c56aae00d90b0b8ca89de0d5a07db8fd5fa24c1b30e496366e8636fcfb91eb0c7b68d284bca293b1e87adf5b6dd17c0c7
SSDEEP

12288:mnpH4HYWO9guJ/sRcxVJfmOiRQsLAy9e49R0+zFyz12FHmCrFf1Q:6pHfgBcxVcOiRQza9R0MO18xy

Score

10^/10

cybergate elitem2 sitesinden dustu discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ELITEM2 SITESINDEN DUSTU

127.0.0.1:81

mzko.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
ESET
install_file
nod32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Decrypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ESET = "C:\\Windows\\system32\\ESET\\nod32.exe"	Decrypted.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Decrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ESET = "C:\\Windows\\system32\\ESET\\nod32.exe"	Decrypted.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{05DY22NK-PG7Y-YM75-2S1V-M72FJCONW882}	Decrypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05DY22NK-PG7Y-YM75-2S1V-M72FJCONW882}\StubPath = "C:\\Windows\\system32\\ESET\\nod32.exe Restart"	Decrypted.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Decrypted.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	Decrypted.exe
4396	nod32.exe

Loads dropped DLL 1 IoCs

pid	Process
4572	Decrypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\ESET\\nod32.exe"	Decrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\ESET\\nod32.exe"	Decrypted.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ESET\nod32.exe	Decrypted.exe
File opened for modification	C:\Windows\SysWOW64\ESET\nod32.exe	Decrypted.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6140 set thread context of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 2300 set thread context of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 1952 set thread context of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2300-13-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2300-15-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2300-27-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1952-25-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1952-22-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1952-24-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1952-41-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x00080000000242c3-47.dat	upx
behavioral2/memory/2668-50-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2668-59-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4572-69-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2668-62-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2668-130-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4396-152-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4868	4396	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	Decrypted.exe
2668	Decrypted.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4572	Decrypted.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	Decrypted.exe
Token: SeDebugPrivilege	4572	Decrypted.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
3140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 6140 wrote to memory of 2300	6140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	85
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 2300 wrote to memory of 1952	2300	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	86
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 1952 wrote to memory of 3140	1952	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	89
PID 3140 wrote to memory of 2668	3140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	91
PID 3140 wrote to memory of 2668	3140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	91
PID 3140 wrote to memory of 2668	3140	JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe	91
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92
PID 2668 wrote to memory of 4592	2668	Decrypted.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6140
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83f3ff9b1776581d0936cac5eda59d3b.exe
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4592
      - C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
        6⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
        
        C:\Windows\SysWOW64\ESET\nod32.exe
        
        "C:\Windows\system32\ESET\nod32.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 572
        8⤵
        Program crash
        
        PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396
1⤵
PID:856

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=322342CE2462632639E85778258262D1; domain=.bing.com; expires=Wed, 15-Apr-2026 16:36:01 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7A83B94CB48C4F4C8ED24F9BCDD20A1C Ref B: LON04EDGE1207 Ref C: 2025-03-21T16:36:01Z
date: Fri, 21 Mar 2025 16:36:00 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=322342CE2462632639E85778258262D1

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=A62IYyFvRFDU8N2d3MpReWFamNQ2QBhGJktQSOJNzWs; domain=.bing.com; expires=Wed, 15-Apr-2026 16:36:01 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AF8D9162EFDA41FD90125C9B796981F3 Ref B: LON04EDGE1207 Ref C: 2025-03-21T16:36:01Z
date: Fri, 21 Mar 2025 16:36:00 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=322342CE2462632639E85778258262D1; MSPTC=A62IYyFvRFDU8N2d3MpReWFamNQ2QBhGJktQSOJNzWs

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 51D7F400F0E94743AFE4CA37EBCFFB03 Ref B: LON04EDGE1207 Ref C: 2025-03-21T16:36:01Z
date: Fri, 21 Mar 2025 16:36:00 GMT
DNS

www.server.com

Decrypted.exe

Remote address:

8.8.8.8:53

Request

www.server.com

IN A

Response

www.server.com

IN A

104.21.21.68

www.server.com

IN A

172.67.196.208
GET

http://www.server.com/sqlite3.dll

Decrypted.exe

Remote address:

104.21.21.68:80

Request

GET /sqlite3.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.server.com
Connection: Keep-Alive

Response

HTTP/1.1 522

Date: Fri, 21 Mar 2025 16:36:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7076
Connection: keep-alive
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=22vjbKqpm3TgPvc5qNwLF2YFriBiHK5h0tnVVxf%2F7hkr8NZ2rS3DuFq%2Bdm6myR07fRnnx7LnJNST%2BQhfvXDHJ7C4kaFQTCLz7aa8PKzI%2BS6WKZ8e4rEAwaHRuJciFQa7Mg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 923eddacada9946b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=22726&min_rtt=22726&rtt_var=11363&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=284&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388172_11H31EUO703JYE8HS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388172_11H31EUO703JYE8HS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 762590
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CEF110C080BE42199F224C68E882312A Ref B: LON04EDGE0716 Ref C: 2025-03-21T16:36:35Z
date: Fri, 21 Mar 2025 16:36:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239357296555_1NQZO136EN197N4N8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239357296555_1NQZO136EN197N4N8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 520592
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 02B4C22F8BE6468F8E25673EABAF2EFF Ref B: LON04EDGE0716 Ref C: 2025-03-21T16:36:35Z
date: Fri, 21 Mar 2025 16:36:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 594481
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 987B33EC4B7E4288950C4D6F6AC775C4 Ref B: LON04EDGE0716 Ref C: 2025-03-21T16:36:35Z
date: Fri, 21 Mar 2025 16:36:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 663065
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3EA63FF345EF479CBD6164DB3189F287 Ref B: LON04EDGE0716 Ref C: 2025-03-21T16:36:35Z
date: Fri, 21 Mar 2025 16:36:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388173_143HGT0XS5NV1OXIB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388173_143HGT0XS5NV1OXIB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 495695
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 27D46BED0F944CF29807E5922037EDB0 Ref B: LON04EDGE0716 Ref C: 2025-03-21T16:36:35Z
date: Fri, 21 Mar 2025 16:36:34 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239357296561_1OO0GI7LQYW9WHHBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239357296561_1OO0GI7LQYW9WHHBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 669559
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F5937BCFB43649E0966E39F8B788B454 Ref B: LON04EDGE0716 Ref C: 2025-03-21T16:36:35Z
date: Fri, 21 Mar 2025 16:36:35 GMT
GET

http://www.server.com/sqlite3.dll

Decrypted.exe

Remote address:

104.21.21.68:80

Request

GET /sqlite3.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.server.com
Connection: Keep-Alive

Response

HTTP/1.1 522

Date: Fri, 21 Mar 2025 16:37:26 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7076
Connection: keep-alive
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yTPpAKkYLr0l5YRURK%2BsLQNUD9YwQ7ql6eiE0%2F3J3ksruY6DTg5xcFXHxfw7fVy3hCA997Pzy0a4LZOtUAl7PI%2FSTlQSoMTRGNr3W5rzmqZtHrRYtEdq%2FNckQ5O2j0kj%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 923edec1497993ef-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=22782&min_rtt=22782&rtt_var=11391&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=284&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://www.server.com/sqlite3.dll

Decrypted.exe

Remote address:

104.21.21.68:80

Request

GET /sqlite3.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.server.com
Connection: Keep-Alive

Response

HTTP/1.1 522

Date: Fri, 21 Mar 2025 16:37:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7076
Connection: keep-alive
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Na63JBB8nT4hdodLXn9Zf1u8OYrgs61prTrHS1g%2FpyF57Tyh4l%2FEnL5v7LmsRVzbtRMoHZQ%2BJdslKkstE2pIwZJUB5ZVpRF4h2OgfKg%2BblfDdUg5ZikUZ7tutayArJfPWg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 923edf001ee7bd90-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=23044&min_rtt=23044&rtt_var=11522&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=284&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Fri, 21 Mar 2025 15:49:32 GMT
Expires: Fri, 21 Mar 2025 16:39:32 GMT
Age: 2849
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid=

tls, http2

2.0kB
9.4kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2ff198185d044425b19629162f9422a1&localId=w:4ACC00A0-1788-710F-65CA-E695752A695C&deviceId=6896216935924576&anid=

HTTP Response

204
104.21.21.68:80

http://www.server.com/sqlite3.dll

http

Decrypted.exe

790 B
8.4kB
11
8

HTTP Request

GET http://www.server.com/sqlite3.dll

HTTP Response

522
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
12
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239357296561_1OO0GI7LQYW9WHHBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

131.5kB
3.8MB
2790
2786

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388172_11H31EUO703JYE8HS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239357296555_1NQZO136EN197N4N8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388173_143HGT0XS5NV1OXIB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239357296561_1OO0GI7LQYW9WHHBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
104.21.21.68:80

http://www.server.com/sqlite3.dll

http

Decrypted.exe

698 B
8.4kB
9
8

HTTP Request

GET http://www.server.com/sqlite3.dll

HTTP Response

522
104.21.21.68:80

http://www.server.com/sqlite3.dll

http

Decrypted.exe

698 B
8.4kB
9
8

HTTP Request

GET http://www.server.com/sqlite3.dll

HTTP Response

522
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

476 B
395 B
6
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

www.server.com

dns

Decrypted.exe

60 B
92 B
1
1

DNS Request

www.server.com

DNS Response

104.21.21.68

172.67.196.208
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Decrypted.exe

Filesize
276KB

MD5
6bbb65886c4172221b4a0da142842a52

SHA1
8367aeb8d11afc828a18787eef0a34ee4b32fdc7

SHA256
1c178c867bd995df422c5abfab069e1361595fcc3100465f14f54c9ef694a2be

SHA512
72f993c94c7ca188338a05caf0effbbf7253225c1341d08ba16bfec35e1e776dfc404bde56a7130f1154232c04155d4808bcbc476ab793afa76906cf008bdfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
8175fcc70b9611cd47e10838582ebfe3

SHA1
1023d0c7575a19d2acaae8b9e9e4f15bb3931e67

SHA256
8209a0d0f2dab4ee3dcb5f9474fa01657d65bcb3becf291d7dc036c0c86cdc32

SHA512
ebf0f1d2f56044b7f686329db1500061d3a2d9e29dcb9408768b6d1568049c9a250279111c0f592730debb51230a0813a321a4759d745cc5b683a0b8ddd06237

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b7823613864378c7290b857721dc0641

SHA1
0aff63f103a05cbbf913ec4e94fe94543249e86b

SHA256
832b111e1fd56e747f9e40a90d7ae0f25f39144fe42b973e281c557295f7139e

SHA512
d13e9017587e9055e7b3f1da230529eb2609d2d8eec48774e73b2bdf71a11ddda7dc778a059d0b14e49c6d970dd2a7b4663bdac53b9512539821c6a2a4007989

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
621bd7b151f178295e5babb42ae9c6c5

SHA1
fb926364a0e4573093c771307410020fa64eb127

SHA256
a8d1e410cb9a22a1a2f11fd5703b9e89a9c203d6b8ed9a1c8840276f28090306

SHA512
7210d02b660fcbca6247045b6c4ba66626195cb1b063eee63c07ad04ad9c9a5abe95a9a5e5965313e1540f8c38a497b64ad53f5aac51617382ce7ea8c54e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ae4357e9cc2e95a210d03c7e2b0c1559

SHA1
2ef147a1960e602408620c200e488ae8e70add6f

SHA256
81116a95224d6dd315b2951f13be6c0804bbd285553ce7d803d8736414355664

SHA512
d3d6e694d811ea3edbd1c9f3eee9b843b8818721dae5db1198ace2363259b4ea8c93f076e2053cfb481b78c7bf95767e0c1a174a5c40c5a9f9f9aa428f6a3ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26af53066d2ea0eb04215f7e0e17ec3b

SHA1
705a35d345d70c7275ca7c3da6f765f4855ca9b5

SHA256
073ba3af2acdaf322ec8264c394967b8b52bbfdfd170470191c4a76dabb26848

SHA512
09ec802948aa046a501f369b891d825f3ef462999b2189d10a013442189c1fa9600e4517eb4a49feb18f330504a0180c3dc6242deb5994c05da61d81d61b864f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4711d8360138bfcfb3c39031120b15c1

SHA1
4c272ca1a0be6e11faa264a28bc0e1e1c8f7d3a2

SHA256
44e2e12e7c5b4dbbaa4bcc6f3551d2d7c2489b5ff57f1cc5944f1e0d684d935e

SHA512
3a8fbce00a0f54be00f5fa707fa3fa1df3ea166554ecf2b0e92f8da3b10ba69705ba355f1f114524d96811e34d3fa6024054a7dad006ca44a1985766a0470b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f1fbcf8e75ab86400a3a09af0e12ef0d

SHA1
2e3cff9eea4fb6ee8292a2a17b6a8ee07aed7a79

SHA256
7d39d2294166d69284ef82a3ebac3fd89986323a092265746fa2a030d3e18697

SHA512
cad7941dad3c358987eccdd86c8fdeb198d5eb739357fafe68034d8493ed85f8ebb1eb78aa624cb1a2bc3b3a4bc1640bffb1f1f8267e601931d984084dbb0f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4b994fb5385a4d25cc085b2c6846d43

SHA1
889e521ccadf952a667cc85042510ce97ff7a12e

SHA256
e10263b2f37894b090cfd4366a86dc603cbd486d9cadcdff9269fe7676932b3a

SHA512
38a93fc0d517701af0107428d04bdfdc69943d8079bb5bf4c203820849a5d1d441f36db1cc4f303cbab91dece77def8d5dadf3aca4e8b8354fa534cc69b7f31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
073287a93015dddc70c90252772c2131

SHA1
3504f41ad91226ebb867031049bff51d123f68b5

SHA256
46006e92d81e07d619114ecb0d615f4f876b46213a6e226d17107d642471f85c

SHA512
08e897d65fda4399788fc15efa27019994643095aae074a3ccebcf890eba1230496a4c562e6cdad38e7e32335ff27020ae5c066ee0f6a3b8d137c9495ddb6afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b92682b17ae04d9c9dd1eb9e37595224

SHA1
4f133f2d07d19a6d8a355911e77237994a707973

SHA256
cd2098fe468e7377ea5e2cda21892991ad5bb6499c689b553f0d1705747ffafc

SHA512
cf31d438ea340f8e0b58182c6452c08543bcd64d42976d296d79f8332bf283656aaeef23d8b4a3a846e04d6075877dbb91d317e6e3b8a28875babb5d1669626a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2cfc5e0d2d3db69daab3276a04cba6e4

SHA1
519684ac86956bedba0ee7824871fe6ccebf1c10

SHA256
1857e28624ada2fd790fa3e3c6bf42d167f690586c476ec1e803125bf3c8006a

SHA512
e3ee598d80eb4550f2cf1ce57aef1fb6514aeab6b41082ec9a1fb964d858040e8262aef4da84caaccf0684d0712f93adf2c8f30e59002ffdb51a01f14a608eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a8c2a0a055281b82fdbf65842504c194

SHA1
3cf68a133cda943bd7c21e8291c198a8cf922302

SHA256
13098e2bfdc7fda30eabfb3ba85492276c835920c8bc7c152617093d847c6aad

SHA512
2763a300aab1cd3f8ac0a9ff9eaa0b2f5cc4338bf3a379ed9dedc0a6791098e412dc82c66dee49b333eb8bacf6bfbde49a72406db7af24d00cfde9bfd8ad7d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3bda7297b5ac60a1e05d47f432d4bc48

SHA1
69524a7725b429e9c1b3372bd7839365102452b6

SHA256
22e68fdc98e5f4bc580c678ef02d9d8f11a872ef2ec2e00469931beccf1b0af2

SHA512
edd34ce7d7a625f650a1a648838546450f15aebb6423d119046702c7ebecbabfd03f0be1780a3b055e1cc1a714133dbfa421e394578633689ba701d0f3203456

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3935e5010987117789ddcab009bf019c

SHA1
d6462e05b96f1ad60b27d6ab38df04f1dfd64c3d

SHA256
e46bd9e8279294d87bae517b6312db93fec504e8b28971bb6696b50344c57ead

SHA512
2a58aa4235bebd1f930d631483d2e1ee81b3201f35547d82487d00dec128ac0237385d7c025f7265d11620694d09d5c802af838465d18b6bf907aea4e9c4816f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
244d8eda22c04325b9cefe0295d22dff

SHA1
a175c112f3b63e9c32698311296f3adb558a2d71

SHA256
4e214ac05d44d0d4f164b9c9080d6d0b0681d9fb9ffe2d606bc0b3f2f8564c77

SHA512
13dbe23c4216b7720170ce9c6ddd314cf84ba76d9b435d2516debd033fee2142c7c5eedc61b05377ec84af8be257984845d413f8c6a264f8f3b4c68987038bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5db7b82d6a18839ec9384debe891beae

SHA1
86bcba9e290b3bfe94ad87af92fbe92be5a4306d

SHA256
0132c3d4cc1ace7a1360b09204567b14130e1a38e4f44602f7090f6d9667c430

SHA512
25722419d270f0ea0bc222b340bc442958687c55454c93dabe517e1553dbf21a357b57f7838dc8b42f12e0a99cf874d3b865c8943f204a7f937c31ad66a08f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b0c02ec8092a3532f0a90e95a4368d49

SHA1
8c71c738ae6270099dec1e200a42c8a1e9123ffb

SHA256
faabc179b0d83049c917b84ac2add11c8d3221fbc821cb445e14cf05a27d266b

SHA512
552f154f53ff93db6eaf1769e8f9d343297ac813a23546f6adbe31e6872fe223e15a69b8596635a582d8b6ff357eac79191f35402f8a81c03e02a24980c072f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
49f055393068aa76652a0a944d8c0bef

SHA1
7468907fbd9f40896b206dde732f5abfb41555ee

SHA256
c6b15fcdd632cb45facac5819be323a43b0a77dad3682bffb853d67c0d6fd60d

SHA512
6a05894f4aa7877ef37c2e672f81cabc3e4e917b14cefb2ef02b0dde18c6f6343da65bf33bdbca81a4c81864c338dec84e2d2a1db1d1b0361d29d2efef05346b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e373b69c953afc00e5c922cf699740b3

SHA1
be986cbbe025b7723a74293b658f5af7bc244b08

SHA256
42e6b48488ff2715c91a47c12f1bffe5163c8efaf45cc376fcc545ec4d178973

SHA512
291fdf6bbfadab4c2f6bfecbf1481b9d8fe4de4a12f126c77d392502579bdb93ae31922521956bd00c3f23095b4024e4f655e5710d51fc0cb8093fe878db908c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4fdea963e955a6dfa85c936f9c0bfd3c

SHA1
0af4a137b02b63ee1f7a6cb5c929d0088d95ab42

SHA256
6f5492abe997e62408b1a2bb77b6bba1950bbb34afebbaa26e53eb636de1b1d1

SHA512
bd4a7736008062febc5077be2301e8cb5cddd058391ecae4bfdb0a8e61af676715d19904f871076e42b7601c7f60c52cdd77892874ee7ef3084d74151fc4e5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a3b5a76ba84ee22098f33eec66aa4517

SHA1
2721a3523022f3d5515836ded986b01ac1b8b012

SHA256
e3a8fbf7caf95783dfcbe65fec4f6f969b4365e00372f18e23e266b025f8b01b

SHA512
df04e7f8e294aeacb4bc9d4fff68ac6e87eed239b3ea346562354705f19ef096f9e372197c9cf129d5df67f0c2389f16ef4b671ba0a9632e641dea47689cdaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ccde0c67c856bd60674fa35c44e373c

SHA1
7c068b8fa774696aa66962196b4597e108d2829a

SHA256
209c3574887325903ff68160d631de29dea41a1b4dd39f2334aeed2f1d6789e2

SHA512
4c90370cb7e5536626a430cace85d73c17cfe27c9f35cc248887ca85adc604ae0083f669ad0cb130ff8ce803b71f59ca9665c939b7c69c489022c3c65e8134a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2bacbbc7c038b13be849ad6b3ee40c64

SHA1
52cd3ab712c918f2b4ffa4a8d85e26ee8c006d1a

SHA256
917a641a1a0a8cd5bcab29498f12b24219d1eeacdd6a9539721601cfa598c49e

SHA512
6500f52f8ee3b146bae287fcc44c70e63eec0d9932a8aed2b317b3693278ab4ffdf0c0997801ae9e7464edd100aebcb8869832297ac2a46df6866375ca42b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
314e195c23c7b142062a7e341e16df83

SHA1
9c3603cd360c7f79ccf8f4d17a81bc57aadd8506

SHA256
30dc93aa0ebe2034fd83589048e78f08df340327e117617e06a389905428278f

SHA512
4cc3355b9b631c91c623924e1bc4fc4a2ded8409e55b7ed5db215084446cfb9f9bc75eab31025fd752fb39d94e95e05b306c226f36cdfa30dbec36b529821d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
347f8d6df5bfffd82669eb0021c319bc

SHA1
5add76705a42b7bd7942e3e9d8c819f7eb33616d

SHA256
4dd57f5914b914c1c4494a4058345c516f471e60d0c05765b7a6f39e21a8224d

SHA512
4612b97ac76a7f0033074820a8dd6527a3a5eed7ef0f1a0544b04051f3cde44fc11788bdd5c1c05d3ec4f45f20dd0b54ded34149b448da97b595d843f36ebf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1437e50f0aa2bba169d8296c9c51c28d

SHA1
c61ed4ca1e8dc8aac76fc85779955c17be53c79a

SHA256
63b67638419d8017578a6a11f02dfce06dcb3bcb4ef76c23d09d283a4a9e8c5e

SHA512
4410bb24377ed03ae1e2266c77be059cd27cbb78888a15c7bde70bc4b3b705d830b3f605fc2d7e59227d850683e6fd675f891572e5a4c6d81cc31a86afa8d58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
de144feaf58a653af3f1929ebb7663c6

SHA1
ef741de8d83094cb19d7101a04e6f42e153613ce

SHA256
3ac58ff3917ec4bac2b75a3f751aae7b9362edddbd25e58d94778b123f582649

SHA512
c7f809ec3db2ab0dac922093b97f4b19f234f801c3dff33dd547dc06499057298f425997368ffc205b2e6b2f8ac7c9de792e7a6f49d1b18c412f4482a4f26217

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
80937501c594fa3167d46ebdfa4b4840

SHA1
4a907f5c78abbc20df6fbd678369b25fdacdfe71

SHA256
f934b04f9d072d982ca28b210391ddcbf29d3d7db6ffb02ded3a5b2d1be9a63e

SHA512
8a344cfc4dfa7f43410ceef9873fd0f5108dd372133a3046eca65b67f950720e291784886b20e416d1a901575cc961f9ed6a6baaf83ed10559b4f1606de7f60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
62458933ab190b31bd4e259e720d2c9b

SHA1
30846e7008456e1ae99c64a0ee8744326b85752d

SHA256
16ff77c0bea074f7ec3202c5f95fb8fe06c0c24d21415e25e1e829c101c1f965

SHA512
c63c3b3ee1ffd821e593222c7dd5b099d0234e4fd02a915284884fd21351c5178062975a8d6379270a156a81cb29e747f6b30559733630336539555ca21ae668

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e54443dd2c19298a12a00ecb6515f307

SHA1
08a23ed7ed9a7a47471e5177a2a07a1389873187

SHA256
a2bf81d1813926d36eeb25ced10953bb9a65af23b76115e92c66edbd8e170ae0

SHA512
6fc3031470553f2ca97cc751cfefd28f850b7a60d2772f0638254a836311c8283f66d00cf413f1bbcbd8b6b143c2e7422d9779607de4ece35b6551129cb77d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e35c081211ee0c7107ece20c4b8e8c74

SHA1
83f16bd8978ebc77090b04b778141cda8b45bca9

SHA256
52d2a773373d9b70a1e9497f63d26e6eaa51393e8782895770327ea0f464ad73

SHA512
c92f1ac0a18eaea3b8260f14d1274bba4e92854b2b490808c3d1b23de7f18174e8b5f83b1c7bbc87cf6f266c0648a61d02bab5b27794c681ab7da0aa5dde0103

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fbde248560c62c43ff69f3b1f00492c3

SHA1
d70c8021d0b9f4eb8ef79b61b8d7173f2e8b1378

SHA256
2401106fa134010363414ffff6dcd058b32713f8587a20f2a195ce1cdb621ef2

SHA512
99e2b0a6921ff0ad596ff43380854c9470c5a92c2f043ad00670cce624ce65849030ae7fbf6fe1a045f8bd329631bfb8fa9ee6f88ba50f0fa4e9ca6c2ad0d56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
22277430a375a406a544f2f6f4ba916a

SHA1
b6f8f1ec124a381047b10838045dd44910386d6b

SHA256
9c16f7b20dad673edf5f444ca19c99072ffacd74cbd88131ba35ca6536e30a75

SHA512
899fb793c8ce04117d4169a91b58367da40f7c48df512011e2786c5d033407d76ad9d9a57a9e6705b0a65b591aac44b4d77d423ad2d41cf918dc9834a847aa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fffb366dec2e37973a3386248d6609ca

SHA1
f38b7ba15c616ac14fa527fafb80ac9ca45dbbe7

SHA256
6180bdc58cd41184a7b18ed5ae4a7dfd30215ce38016717678b9edf3ce6e5d12

SHA512
aafbffb447ab73cf5f340b5fca316c84eb900bf016a96511fd898e8385aeb5983a9d5e6f19a36a245a769d7928eabdce456eb9b368c74890b7fd839b007887c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4774d5d386b1fc4cf3330cb937db7a77

SHA1
9bde6c1509d019de93b0e61bbbe307fd33f6981e

SHA256
07ea98c5b3c0d08f7602e97926fef02339d1163dde4586961d90dbd64aed1389

SHA512
ba35a34329036100689c4784914bd1ccac70c184a7a5e143647ff8458b97364a597df438d47f2640270c37bc0b5ef9fd54979950f2c9b9780793b4312e271688

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6611b451f93ce8ea72de502fcd430ad

SHA1
d39c2d2aae8cb4411a62dcd07ecb767cfff6a21b

SHA256
f023fe588d39e4fabf635bd079baf2422b8a585bb2efbb95db2af0bdf6ccfb7d

SHA512
1a7c32ef0d31417c81c53fa0e228ef0215c9e3df96ac6ab160d05a70d8a89bf9c91b63e3ac974cf76d51a626f0467fbc5c244f61644d9d14a96ec1cfa7f23d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
47b316140b833f341a35e26075baf756

SHA1
2667c253b5f2224c8efe8f54f46d6002cbdd25e2

SHA256
f261a018700130d44598c85db6cd48116518e7adfb19f15bb486f5951d818461

SHA512
f408cc3bbd423d086a9ce351d1b4fb0a7b21e96519b31f72d256ae389ab47dbb1372845f5c279a27c72057fbf9ad14b8ab0a27c6aa1ceeff0c51a4ea09ad6fcb

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/1952-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-26-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/1952-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-42-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/1952-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2300-27-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2300-20-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/2300-31-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/2300-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2300-13-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2668-50-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2668-62-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2668-59-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2668-130-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3140-32-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3140-55-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/3140-38-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/3140-53-0x0000000000400000-0x00000000004069A4-memory.dmp

Filesize
26KB

Download
memory/3140-51-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3140-35-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3140-33-0x0000000000400000-0x00000000004069A4-memory.dmp

Filesize
26KB

Download
memory/4396-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4572-70-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/4572-63-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4572-128-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/4572-69-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4572-155-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/4572-154-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/4572-153-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/4572-64-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4572-68-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/6140-18-0x00000000021A0000-0x00000000021DD000-memory.dmp

Filesize
244KB

Download
memory/6140-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6140-19-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/6140-1-0x00000000021A0000-0x00000000021DD000-memory.dmp

Filesize
244KB

Download
memory/6140-12-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/6140-9-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/6140-8-0x00000000769E0000-0x0000000076AD0000-memory.dmp

Filesize
960KB

Download
memory/6140-2-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/6140-3-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/6140-4-0x0000000077492000-0x0000000077493000-memory.dmp

Filesize
4KB

Download
memory/6140-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6140-7-0x0000000076A00000-0x0000000076A01000-memory.dmp

Filesize
4KB

Download
memory/6140-6-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/6140-0-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.