Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:10 UTC

General

  • Target

    4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe

  • Size

    650KB

  • MD5

    f6276c3c25982a59d17cced52b409e2f

  • SHA1

    61025476f38e1a9bd29721014c76cc03d27f145f

  • SHA256

    4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5

  • SHA512

    a128ca1cd21b9e22b3173d5d0ce2015c492f271dc3a70af095a632c05bdb264261969ebefbfcc21c921022a08829f043c85ebaf075e0f34e2f532438220fda6c

  • SSDEEP

    6144:BtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rfc:r6u7+487IFjvelQypyfy7fc

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    Trav01is@yandex.com
  • Password:
    Boy12345#

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
    "C:\Users\Admin\AppData\Local\Temp\4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Roaming\app.exe
      "C:\Users\Admin\AppData\Roaming\app.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\AppData\Roaming\app.exe
        "C:\Users\Admin\AppData\Roaming\app.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Users\Admin\AppData\Roaming\My.RawFile.exe
        "C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:5272
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5580
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4884

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2603D41AB2CF624C2E00C1ADB32F63B3; domain=.bing.com; expires=Thu, 16-Apr-2026 06:18:16 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 20DA3B2C6AFA4B70BAA90A97796583A8 Ref B: LON04EDGE1111 Ref C: 2025-03-22T06:18:16Z
    date: Sat, 22 Mar 2025 06:18:16 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2603D41AB2CF624C2E00C1ADB32F63B3
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=a77KAUk9HZg9sEgzz1WG79cKug_Zm4k6NiBujJL0lPs; domain=.bing.com; expires=Thu, 16-Apr-2026 06:18:16 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AE49FF88B7584898BA42F9ECE9CD1558 Ref B: LON04EDGE1111 Ref C: 2025-03-22T06:18:16Z
    date: Sat, 22 Mar 2025 06:18:16 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2603D41AB2CF624C2E00C1ADB32F63B3; MSPTC=a77KAUk9HZg9sEgzz1WG79cKug_Zm4k6NiBujJL0lPs
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BB69031209C04FF8B9DCE282EDA076A0 Ref B: LON04EDGE1111 Ref C: 2025-03-22T06:18:16Z
    date: Sat, 22 Mar 2025 06:18:16 GMT
  • flag-us
    DNS
    checkip.dyndns.org
    My.RawFile.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    193.122.130.0
  • flag-br
    GET
    http://checkip.dyndns.org/
    My.RawFile.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 22 Mar 2025 06:18:34 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    smtp.yandex.com
    My.RawFile.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.yandex.com
    IN A
    Response
    smtp.yandex.com
    IN CNAME
    smtp.yandex.ru
    smtp.yandex.ru
    IN A
    77.88.21.158
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239357306959_1Z1X7MZEKHFIEBDFO&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239357306959_1Z1X7MZEKHFIEBDFO&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 507475
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6008583EE885435683F6F82BF0956930 Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:52Z
    date: Sat, 22 Mar 2025 06:18:51 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 700105
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5D83E0B9D3564BDE8DFD546F3853A08F Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:52Z
    date: Sat, 22 Mar 2025 06:18:51 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239357306958_1RB533RDJGV5W5CSS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239357306958_1RB533RDJGV5W5CSS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 758841
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8C4E09862474480CA90697317A71FA43 Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:52Z
    date: Sat, 22 Mar 2025 06:18:51 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 721420
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E8CEABFE6A924E2291F50517A3249066 Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:52Z
    date: Sat, 22 Mar 2025 06:18:51 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 193575
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E49506F5A32E413993710A03B334D3D0 Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:52Z
    date: Sat, 22 Mar 2025 06:18:51 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.180.3
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Remote address:
    142.250.180.3:80
    Request
    GET /r/r1.crl HTTP/1.1
    Cache-Control: max-age = 3000
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 304 Not Modified
    Date: Sat, 22 Mar 2025 05:59:32 GMT
    Expires: Sat, 22 Mar 2025 06:49:32 GMT
    Age: 1189
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Cache-Control: public, max-age=3000
    Vary: Accept-Encoding
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
    tls, http2
    2.0kB
    9.4kB
    21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6b0cdc839c0644f3a82a66478ece86cf&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=

    HTTP Response

    204
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    My.RawFile.exe
    344 B
    487 B
    6
    5

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 77.88.21.158:587
    smtp.yandex.com
    smtp-submission
    My.RawFile.exe
    1.9kB
    6.5kB
    23
    19
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
    7.3kB
    16
    12
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    66.2kB
    1.8MB
    1347
    1337

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239357306959_1Z1X7MZEKHFIEBDFO&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239357306958_1RB533RDJGV5W5CSS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
    7.3kB
    16
    12
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
    7.3kB
    16
    12
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
    7.3kB
    16
    12
  • 142.250.180.3:80
    http://c.pki.goog/r/r1.crl
    http
    736 B
    1.2kB
    11
    7

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    304
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    My.RawFile.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    132.226.8.169
    158.101.44.242
    193.122.6.168
    193.122.130.0

  • 8.8.8.8:53
    smtp.yandex.com
    dns
    My.RawFile.exe
    61 B
    105 B
    1
    1

    DNS Request

    smtp.yandex.com

    DNS Response

    77.88.21.158

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    124 B
    170 B
    2
    1

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    c.pki.goog
    dns
    112 B
    107 B
    2
    1

    DNS Request

    c.pki.goog

    DNS Request

    c.pki.goog

    DNS Response

    142.250.180.3

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log

    Filesize

    20B

    MD5

    b3ac9d09e3a47d5fd00c37e075a70ecb

    SHA1

    ad14e6d0e07b00bd10d77a06d68841b20675680b

    SHA256

    7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

    SHA512

    09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

  • C:\Users\Admin\AppData\Roaming\My.RawFile.exe

    Filesize

    142KB

    MD5

    5a733ef0de5e31e2e4b4abb016c0f251

    SHA1

    28644040a6deac35c20fa931b5d003a97293363e

    SHA256

    a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7

    SHA512

    9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

  • C:\Users\Admin\AppData\Roaming\app.exe

    Filesize

    659KB

    MD5

    a1ee959e3bd328a156c263519ddf28aa

    SHA1

    2109fe59148cc488152e32deb6c2f082933c23f2

    SHA256

    32ed0ed506b56d6fe258cdfb17fee9e84621418a11d1bdd41ba3af9a4e27bf3e

    SHA512

    14d6b3a4157011207fc6d24bd1834904b9476303dbaacbe18d9cc3261b0a3884e4fb8f6a6c383f263bc04a2d679b56892c964634268bd6c243034792d7ce0888

  • memory/2372-61-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-60-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-36-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-35-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-34-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-17-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-3-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-1-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-2-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-29-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-18-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-0-0x00000000748D2000-0x00000000748D3000-memory.dmp

    Filesize

    4KB

  • memory/4040-16-0x00000000748D2000-0x00000000748D3000-memory.dmp

    Filesize

    4KB

  • memory/4040-4-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-37-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-31-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-56-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-59-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-32-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-30-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/5580-52-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.