agenttesla | dc540b38a352f20ac0e3a7540328638eec6f08466068c3f1c7d0f815841758fb | Triage

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2023, 16:40 UTC

Sharing

Report Analysis Logs

General

Target

STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe
Size

974KB
MD5

b624b22306191a4001991e6a98a7633c
SHA1

f519bef2574df8f8a8d0fc5d19f029c72d9a1182
SHA256

a2d18105194e15ef86987c3eba487d3c98e4ffcc9f5df8fff8c2c71559729641
SHA512

114151d9dcb4c24168602beb97671dd9e733ab4e49771132ffff18f41d598246b096b751e266347267593539843b0a1967a34547298c1190c2a9626ab1a23edd
SSDEEP

24576:uxK/cSUHegxG2VBxlYC6l27o0lp+h/tynfCr:uxsm+gQclYCrka+h/tNr

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail5.planetc.net
Port:
587
Username:
it.support@planetc.net
Password:
623434@esit
Email To:
info@ledcenter.by

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
112	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 728 set thread context of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
856	972	WerFault.exe	106

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
3448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe
728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe
728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe
720	powershell.exe
720	powershell.exe
232	powershell.exe
232	powershell.exe
728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe
972	RegSvcs.exe
972	RegSvcs.exe
972	RegSvcs.exe
232	powershell.exe
720	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	972	RegSvcs.exe
Token: SeManageVolumePrivilege	716	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 720	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	100
PID 728 wrote to memory of 720	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	100
PID 728 wrote to memory of 720	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	100
PID 728 wrote to memory of 232	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	102
PID 728 wrote to memory of 232	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	102
PID 728 wrote to memory of 232	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	102
PID 728 wrote to memory of 3448	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	104
PID 728 wrote to memory of 3448	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	104
PID 728 wrote to memory of 3448	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	104
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106
PID 728 wrote to memory of 972	728	STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe	106

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.pdf____________________________________________________________________________.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZUcrmhnom.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZUcrmhnom" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F9D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 2012
    3⤵
    - Program crash
    PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 972 -ip 972
1⤵
PID:640

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:716

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

18.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.53.126.40.in-addr.arpa

IN PTR

Response
DNS

202.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.121.18.2.in-addr.arpa

IN PTR

Response

202.121.18.2.in-addr.arpa

IN PTR

a2-18-121-202deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2905F09EB9F3609E0B54E37FB8136131; domain=.bing.com; expires=Wed, 01-Jan-2025 16:40:13 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B466471219404D0AB6BC8631FBB55AEB Ref B: LON04EDGE1113 Ref C: 2023-12-08T16:40:12Z
date: Fri, 08 Dec 2023 16:40:13 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2905F09EB9F3609E0B54E37FB8136131

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8883FCE9BB2247BCB83799756C9F92F9 Ref B: LON04EDGE1113 Ref C: 2023-12-08T16:40:13Z
date: Fri, 08 Dec 2023 16:40:13 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2905F09EB9F3609E0B54E37FB8136131

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 26DB5D5AD30149BFB4BD147502977FD3 Ref B: LON04EDGE1113 Ref C: 2023-12-08T16:40:13Z
date: Fri, 08 Dec 2023 16:40:13 GMT
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301629_1OQFQHDVLTEIOH8CU&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301629_1OQFQHDVLTEIOH8CU&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 130982
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5484509473144BF7956D3358BECFD3D4 Ref B: LON04EDGE1014 Ref C: 2023-12-08T16:40:13Z
date: Fri, 08 Dec 2023 16:40:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 553003
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CF63159F4ADA481997592B5BE31778A2 Ref B: LON04EDGE1014 Ref C: 2023-12-08T16:40:13Z
date: Fri, 08 Dec 2023 16:40:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301220_18O58FXYXLPJZL3DY&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301220_18O58FXYXLPJZL3DY&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 455787
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7A007A8FFEA747C193A67458BC4FD08A Ref B: LON04EDGE1014 Ref C: 2023-12-08T16:40:13Z
date: Fri, 08 Dec 2023 16:40:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 142516
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F5A2F46D48E048C493E454576F61EC38 Ref B: LON04EDGE1014 Ref C: 2023-12-08T16:40:13Z
date: Fri, 08 Dec 2023 16:40:13 GMT
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

211.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.178.17.96.in-addr.arpa

IN PTR

Response

211.178.17.96.in-addr.arpa

IN PTR

a96-17-178-211deploystaticakamaitechnologiescom
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

156.227.185.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

156.227.185.64.in-addr.arpa

IN PTR
DNS

Remote address:

8.8.8.8:53

Response

fe3cr.delivery.mp.microsoft.com

IN CNAME

fe3.delivery.mp.microsoft.com

fe3.delivery.mp.microsoft.com

IN CNAME

glb.cws.prod.dcat.dsp.trafficmanager.net

glb.cws.prod.dcat.dsp.trafficmanager.net

IN A

20.3.187.198
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

189.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.178.17.96.in-addr.arpa

IN PTR

Response

189.178.17.96.in-addr.arpa

IN PTR

a96-17-178-189deploystaticakamaitechnologiescom
DNS

189.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.178.17.96.in-addr.arpa

IN PTR
DNS

190.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.178.17.96.in-addr.arpa

IN PTR

Response

190.178.17.96.in-addr.arpa

IN PTR

a96-17-178-190deploystaticakamaitechnologiescom
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid=

tls, http2

1.9kB
9.3kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcd39e3ada284a26bb0a0fe3b90481a2&localId=w:FE68D3E1-F78C-9B9A-FBDB-54085842FDF9&deviceId=6825826361900786&anid=

HTTP Response

204
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4

tls, http2

48.9kB
1.3MB
973
970

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301629_1OQFQHDVLTEIOH8CU&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301220_18O58FXYXLPJZL3DY&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
64.185.227.156:443

api.ipify.org

tls

RegSvcs.exe

531 B
366 B
4
2
96.17.178.211:80
96.17.178.211:80
96.17.178.211:80
96.17.178.211:80
96.17.178.211:80

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

18.53.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

18.53.126.40.in-addr.arpa
8.8.8.8:53

202.121.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

202.121.18.2.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

211.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

211.178.17.96.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

156.227.185.64.in-addr.arpa

dns

73 B
1

DNS Request

156.227.185.64.in-addr.arpa
8.8.8.8:53

dns

165 B
1

DNS Response

20.3.187.198
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

189.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

189.178.17.96.in-addr.arpa

DNS Request

189.178.17.96.in-addr.arpa
8.8.8.8:53

190.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

190.178.17.96.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_akciehzy.ym5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F9D.tmp

Filesize
1KB

MD5
3a763eb131dac41307636c84be8d1c93

SHA1
9cc429495c2df927fb040c84fbe700c326597c0a

SHA256
99a1ce57719bbaa45a3cfcb4d41d9b7d085482895d8b307ed2f06973687c9d71

SHA512
a6e4a93103edcd3240e2a751a0e61724e7c9a25f5ee5152d9d837ae3c1c64a4ac0da51729621a86c9f89339cfafc7ee441402187fd55a842b33b90efa1574dd2

Download Submit
memory/232-84-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/232-70-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/232-57-0x0000000071950000-0x000000007199C000-memory.dmp

Filesize
304KB

Download
memory/232-69-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/232-58-0x000000007F5C0000-0x000000007F5D0000-memory.dmp

Filesize
64KB

Download
memory/232-54-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download
memory/232-20-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/232-26-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/232-24-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/232-95-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/716-114-0x000001F6D8940000-0x000001F6D8950000-memory.dmp

Filesize
64KB

Download
memory/716-98-0x000001F6D8840000-0x000001F6D8850000-memory.dmp

Filesize
64KB

Download
memory/716-166-0x000001F6E0D60000-0x000001F6E0D61000-memory.dmp

Filesize
4KB

Download
memory/716-165-0x000001F6E0C50000-0x000001F6E0C51000-memory.dmp

Filesize
4KB

Download
memory/716-164-0x000001F6E0C50000-0x000001F6E0C51000-memory.dmp

Filesize
4KB

Download
memory/716-162-0x000001F6E0C40000-0x000001F6E0C41000-memory.dmp

Filesize
4KB

Download
memory/716-150-0x000001F6E0A40000-0x000001F6E0A41000-memory.dmp

Filesize
4KB

Download
memory/716-147-0x000001F6E0B00000-0x000001F6E0B01000-memory.dmp

Filesize
4KB

Download
memory/716-144-0x000001F6E0B10000-0x000001F6E0B11000-memory.dmp

Filesize
4KB

Download
memory/716-142-0x000001F6E0B00000-0x000001F6E0B01000-memory.dmp

Filesize
4KB

Download
memory/716-141-0x000001F6E0B10000-0x000001F6E0B11000-memory.dmp

Filesize
4KB

Download
memory/716-140-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-139-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-138-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-137-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-136-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-135-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-134-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-133-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-132-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-131-0x000001F6E0EF0000-0x000001F6E0EF1000-memory.dmp

Filesize
4KB

Download
memory/716-130-0x000001F6E0EC0000-0x000001F6E0EC1000-memory.dmp

Filesize
4KB

Download
memory/720-87-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/720-47-0x00000000062D0000-0x0000000006624000-memory.dmp

Filesize
3.3MB

Download
memory/720-19-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/720-82-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/720-81-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/720-80-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/720-59-0x0000000071950000-0x000000007199C000-memory.dmp

Filesize
304KB

Download
memory/720-83-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/720-21-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/720-56-0x00000000076E0000-0x0000000007712000-memory.dmp

Filesize
200KB

Download
memory/720-85-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/720-18-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/720-86-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/720-88-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

Filesize
56KB

Download
memory/720-90-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/720-89-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

Filesize
80KB

Download
memory/720-91-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

Filesize
32KB

Download
memory/720-17-0x0000000005820000-0x0000000005E48000-memory.dmp

Filesize
6.2MB

Download
memory/720-96-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/720-15-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download
memory/720-27-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/720-28-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/720-25-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/720-53-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/720-55-0x000000007F850000-0x000000007F860000-memory.dmp

Filesize
64KB

Download
memory/728-9-0x0000000008470000-0x00000000084EA000-memory.dmp

Filesize
488KB

Download
memory/728-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/728-4-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/728-16-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/728-51-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/728-22-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/728-5-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/728-0-0x0000000000C70000-0x0000000000D68000-memory.dmp

Filesize
992KB

Download
memory/728-7-0x0000000005C90000-0x0000000005C98000-memory.dmp

Filesize
32KB

Download
memory/728-10-0x00000000097B0000-0x000000000984C000-memory.dmp

Filesize
624KB

Download
memory/728-6-0x0000000005A10000-0x0000000005A2A000-memory.dmp

Filesize
104KB

Download
memory/728-3-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/728-1-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/728-8-0x0000000006B60000-0x0000000006B6A000-memory.dmp

Filesize
40KB

Download
memory/972-97-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/972-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-50-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/972-52-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download