Resubmissions

28-12-2023 13:55

231228-q77j2seeb9 10

15-12-2023 22:14

231215-15mf7shecm 8

Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2023 13:55

General

  • Target

    Installer (1).msi

  • Size

    1.4MB

  • MD5

    f3805cdf687890992345aaa4577b86a4

  • SHA1

    697362f0a495bc1fc692f8bc3b12a81522404cc5

  • SHA256

    514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1

  • SHA512

    6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142

  • SSDEEP

    24576:jn0CgtRH3nOX1FIhp5DJ4suxNVTK+ucjByw+Z5cYokzJV+H4:T0LUItD0T9KjHJzJl

Score
10/10

Malware Config

Signatures

  • Detect Pikabot payload 4 IoCs

    Detect Pikabot payload.

  • PikaBot

    PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.

  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (1).msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3716
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2008
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding AA8D9AF0C7AE7EE7E5E8B39DD740A0EE
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Windows\SysWOW64\SearchProtocolHost.exe
          "C:\Windows\System32\SearchProtocolHost.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3152
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3608

    Network

    • flag-us
      DNS
      146.78.124.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      146.78.124.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.177.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.177.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      crls.ssl.com
      msiexec.exe
      Remote address:
      8.8.8.8:53
      Request
      crls.ssl.com
      IN A
      Response
      crls.ssl.com
      IN A
      18.172.89.36
      crls.ssl.com
      IN A
      18.172.89.115
      crls.ssl.com
      IN A
      18.172.89.92
      crls.ssl.com
      IN A
      18.172.89.122
    • flag-us
      DNS
      crls.ssl.com
      msiexec.exe
      Remote address:
      8.8.8.8:53
      Request
      crls.ssl.com
      IN A
    • flag-us
      DNS
      3.181.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      3.181.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      3.181.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      3.181.190.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      165.184.237.34.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      165.184.237.34.in-addr.arpa
      IN PTR
      Response
      165.184.237.34.in-addr.arpa
      IN PTR
      ec2-34-237-184-165 compute-1 amazonawscom
    • flag-us
      DNS
      165.184.237.34.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      165.184.237.34.in-addr.arpa
      IN PTR
    • flag-us
      GET
      http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl
      msiexec.exe
      Remote address:
      18.172.89.36:80
      Request
      GET /SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: crls.ssl.com
      Response
      HTTP/1.1 200 OK
      Content-Type: application/pkix-crl
      Content-Length: 46720
      Connection: keep-alive
      Last-Modified: Thu, 28 Dec 2023 07:23:43 GMT
      x-amz-server-side-encryption: AES256
      Accept-Ranges: bytes
      Server: AmazonS3
      Date: Thu, 28 Dec 2023 13:54:02 GMT
      Expires: Thu, 04 Jan 2024 07:14:17 GMT
      ETag: "c9c41ef92b3985f2602706c78160945c"
      X-Cache: Hit from cloudfront
      Via: 1.1 4c91cb6d4a85f3aca5c056a81231821a.cloudfront.net (CloudFront)
      X-Amz-Cf-Pop: MAN51-P1
      Alt-Svc: h3=":443"; ma=86400
      X-Amz-Cf-Id: dRdHsn93q9s--zUJRSoid7epJycFqUD_15BFljSoM5CIup4oDy3uMQ==
      Age: 158
    • flag-us
      DNS
      36.89.172.18.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      36.89.172.18.in-addr.arpa
      IN PTR
      Response
      36.89.172.18.in-addr.arpa
      IN PTR
      server-18-172-89-36man51r cloudfrontnet
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      208.194.73.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      208.194.73.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      100.5.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      100.5.17.2.in-addr.arpa
      IN PTR
      Response
      100.5.17.2.in-addr.arpa
      IN PTR
      a2-17-5-100deploystaticakamaitechnologiescom
    • flag-us
      DNS
      119.110.54.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      119.110.54.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.178.17.96.in-addr.arpa
      IN PTR
      Response
      196.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-196deploystaticakamaitechnologiescom
    • flag-us
      DNS
      211.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      211.135.221.88.in-addr.arpa
      IN PTR
      Response
      211.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-211deploystaticakamaitechnologiescom
    • flag-us
      DNS
      211.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      211.135.221.88.in-addr.arpa
      IN PTR
      Response
      211.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-211deploystaticakamaitechnologiescom
    • flag-us
      DNS
      205.47.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.47.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      205.47.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.47.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      204.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      204.178.17.96.in-addr.arpa
      IN PTR
      Response
      204.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-204deploystaticakamaitechnologiescom
    • flag-us
      DNS
      204.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      204.178.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301032_1O1TBR912QG5BWWX0&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301032_1O1TBR912QG5BWWX0&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 398619
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: AFBFE08AAF684D378683C8B65491C5B0 Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
      date: Thu, 28 Dec 2023 13:57:20 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317300913_16JYUQS6WV9VSSWLA&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317300913_16JYUQS6WV9VSSWLA&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 187063
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1F2B82996B4E42168FA9992128F7DDB1 Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
      date: Thu, 28 Dec 2023 13:57:20 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301686_1KALYYHQJEHUB35MQ&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301686_1KALYYHQJEHUB35MQ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 479673
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0B1C4BAC39A2495CB4ABEC7211066F6A Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
      date: Thu, 28 Dec 2023 13:57:20 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301346_1HKPKYW01FIAQGRUY&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301346_1HKPKYW01FIAQGRUY&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 185856
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 494A6A27871D4E7E853546A346B76C9D Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
      date: Thu, 28 Dec 2023 13:57:20 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 457679
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0C53F0CB5CB4461BA64B08B82BA531FA Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
      date: Thu, 28 Dec 2023 13:57:20 GMT
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      33.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      33.134.221.88.in-addr.arpa
      IN PTR
      Response
      33.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-33deploystaticakamaitechnologiescom
    • flag-us
      DNS
      33.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      33.134.221.88.in-addr.arpa
      IN PTR
    • 18.172.89.36:80
      http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl
      http
      msiexec.exe
      2.1kB
      48.8kB
      36
      37

      HTTP Request

      GET http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl

      HTTP Response

      200
    • 172.232.162.198:13721
      SearchProtocolHost.exe
      260 B
      160 B
      5
      4
    • 88.221.135.211:80
    • 88.221.135.211:80
    • 88.221.135.211:80
    • 52.111.227.14:443
      tls
      997 B
      13.9kB
      10
      15
    • 88.221.135.211:80
    • 20.231.121.79:80
      104 B
      2
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.3kB
      16
      14
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4
      tls, http2
      71.6kB
      1.9MB
      1417
      1407

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301032_1O1TBR912QG5BWWX0&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317300913_16JYUQS6WV9VSSWLA&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301686_1KALYYHQJEHUB35MQ&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301346_1HKPKYW01FIAQGRUY&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      2.1kB
      8.2kB
      19
      13
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.5kB
      8.2kB
      17
      13
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      2.1kB
      9.6kB
      20
      14
    • 8.8.8.8:53
      146.78.124.51.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      146.78.124.51.in-addr.arpa

    • 8.8.8.8:53
      20.177.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      20.177.190.20.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      crls.ssl.com
      dns
      msiexec.exe
      116 B
      122 B
      2
      1

      DNS Request

      crls.ssl.com

      DNS Request

      crls.ssl.com

      DNS Response

      18.172.89.36
      18.172.89.115
      18.172.89.92
      18.172.89.122

    • 8.8.8.8:53
      3.181.190.20.in-addr.arpa
      dns
      142 B
      157 B
      2
      1

      DNS Request

      3.181.190.20.in-addr.arpa

      DNS Request

      3.181.190.20.in-addr.arpa

    • 8.8.8.8:53
      165.184.237.34.in-addr.arpa
      dns
      146 B
      129 B
      2
      1

      DNS Request

      165.184.237.34.in-addr.arpa

      DNS Request

      165.184.237.34.in-addr.arpa

    • 8.8.8.8:53
      36.89.172.18.in-addr.arpa
      dns
      71 B
      127 B
      1
      1

      DNS Request

      36.89.172.18.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      208.194.73.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      208.194.73.20.in-addr.arpa

    • 8.8.8.8:53
      100.5.17.2.in-addr.arpa
      dns
      69 B
      131 B
      1
      1

      DNS Request

      100.5.17.2.in-addr.arpa

    • 8.8.8.8:53
      119.110.54.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      119.110.54.20.in-addr.arpa

    • 8.8.8.8:53
      196.178.17.96.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      196.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      211.135.221.88.in-addr.arpa
      dns
      146 B
      278 B
      2
      2

      DNS Request

      211.135.221.88.in-addr.arpa

      DNS Request

      211.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      205.47.74.20.in-addr.arpa
      dns
      142 B
      314 B
      2
      2

      DNS Request

      205.47.74.20.in-addr.arpa

      DNS Request

      205.47.74.20.in-addr.arpa

    • 8.8.8.8:53
    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      144 B
      158 B
      2
      1

      DNS Request

      14.227.111.52.in-addr.arpa

      DNS Request

      14.227.111.52.in-addr.arpa

    • 8.8.8.8:53
    • 8.8.8.8:53
      204.178.17.96.in-addr.arpa
      dns
      144 B
      137 B
      2
      1

      DNS Request

      204.178.17.96.in-addr.arpa

      DNS Request

      204.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      124 B
      346 B
      2
      2

      DNS Request

      tse1.mm.bing.net

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      142 B
      314 B
      2
      2

      DNS Request

      55.36.223.20.in-addr.arpa

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      146 B
      212 B
      2
      2

      DNS Request

      200.197.79.204.in-addr.arpa

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      33.134.221.88.in-addr.arpa
      dns
      144 B
      137 B
      2
      1

      DNS Request

      33.134.221.88.in-addr.arpa

      DNS Request

      33.134.221.88.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57a828.rbs

      Filesize

      8KB

      MD5

      58d3f3fddc96f7fbe8c906a207c16e3f

      SHA1

      fdf4d2162d2c5b96e63fc282f267789ce0a0e455

      SHA256

      c5370295ed5f94933ff0a250688f56cf68daa819562bbdbf4c8556c71d345bc5

      SHA512

      5eef66e641c5276a24daa81cccc28c0850f8f7343ac99e479bbc62fb410c2835a4088f2f735323b974c538a9a589727d0f4d0009617c0e9548f6d4c5c02f3eb7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

      Filesize

      45KB

      MD5

      c9c41ef92b3985f2602706c78160945c

      SHA1

      75e94e9f9aee0ab17b96a612c0da6fef788eeb99

      SHA256

      a177cd84c26e52a824b925dcff802f9c57fb7b7aa12877d1eef572210367f64f

      SHA512

      302a05eb03d6a718ab7b58e1807ddc8efa102440e3db7d76396244b53f1ead4d934dd1e8ed999d0d65c760479276820a0694b8a35c56808f3ed0c860432eaa76

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

      Filesize

      727B

      MD5

      7a3b8457313a521e0d44f91765a4e041

      SHA1

      4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

      SHA256

      2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

      SHA512

      7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

      Filesize

      314B

      MD5

      77cfcc97dbfb1a7c5c04fac72189521c

      SHA1

      c037b6e63b3dab3fec940a6872ad59dc8f420581

      SHA256

      b33f8dc77988beb2deb735de244cf37c3840e9c715754b8a2503c0014b3c19e5

      SHA512

      a4ef4fc15839ef241993f167bb68479e3d465ae6a26c8285a2acaf8059813216583aa265c0b185f5cece39b2ac50cb31ae1ed9ee615a0fcd816984093441a07f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

      Filesize

      478B

      MD5

      628188d5d3ec1fb861abafe11044d5a3

      SHA1

      9205d9aee14bb3dfc01c3b3a7e5d2e1dad9e61c0

      SHA256

      1b2547e7afd3d842b3cd5d14979675b85db92b75c39c33c276145efdef2e3d90

      SHA512

      8c9f2e2feeee5e190065219c132d04da1365991ca38b82dae1cbea3e8b5d8af4a53c6022d1fc3ffe593a425d2c823c014dce20ac6ad1f3541245b4763647bec4

    • C:\Windows\Installer\MSIA922.tmp

      Filesize

      832KB

      MD5

      7e5ab6a503580519314c91cc467a1f05

      SHA1

      d869593bbdb597cc84d40bcae3a71b7d7f638d01

      SHA256

      619edc1fe110b4ea89493d1ead9d6b5bf0851fe0fb1e93dba1dfabdf68326328

      SHA512

      9c4dbab75ea2dee7e32b14372416621cb14cb865c6dc5ada97062d1a38cd48fb917c53dfd19b50aaf2342fd2effab418e69cf081fb19ab9e0628b15ad978c0fe

    • C:\Windows\Installer\MSIA922.tmp

      Filesize

      768KB

      MD5

      f087631fbf8f8b9b4bcf91ff6a78c813

      SHA1

      71966d01bebba4f501f23c840c73691d1d52abe2

      SHA256

      73bc090115ceb5ef4c2a339d96cf9ea175d4acfefca20d82d26f24cc6609ef18

      SHA512

      1f4c3244e6eedebf4560aa96860eaea9a2ad059bc1fdc62047e82ada6439f888da5cfdb2f3a6deb0284a3a3a129e5ba733886b87c0c46e39198f86b12e3db779

    • C:\Windows\Installer\e57a827.msi

      Filesize

      1.4MB

      MD5

      f3805cdf687890992345aaa4577b86a4

      SHA1

      697362f0a495bc1fc692f8bc3b12a81522404cc5

      SHA256

      514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1

      SHA512

      6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      1.3MB

      MD5

      db8eb37668277641eb11b24df2071150

      SHA1

      bde78696435d15ff753cb966865f18309d7c5360

      SHA256

      e4291b2aefaee60128b44d204735e382d43d1dc01ae6c4b9ce9f05e11e71fe96

      SHA512

      9470adbb857222716b30143f4b12471a7c2c71e08a04b2f67dfbcf3609a0db3f4f228402b883cdda76fab3bc6d99bb31710ac0ce51e103f6c167f6466e6cb2b1

    • \??\Volume{119bf5f3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dfb9a67c-fba7-408f-bf8f-565ba353218a}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      37a7e4dc75f9671638b5982da0638d36

      SHA1

      488606e5222b1fb1ddf61d1757ccf0c62384dedf

      SHA256

      8af5b892922cd87b844b375d955d7c027e580e93381c14f6f2a3aa1b85188ce9

      SHA512

      2f881487a7407fb150c349e98154b73ab6a0517242775d0a47609ad5c5cd5a29dd6dab4da695424ed16d969db50cc51b7397f88cdc0974573b85c50f9a686148

    • memory/3152-35-0x0000000000CF0000-0x0000000000D41000-memory.dmp

      Filesize

      324KB

    • memory/3152-36-0x0000000000CF0000-0x0000000000D41000-memory.dmp

      Filesize

      324KB

    • memory/3152-55-0x0000000000CF0000-0x0000000000D41000-memory.dmp

      Filesize

      324KB

    • memory/3152-56-0x0000000000CF0000-0x0000000000D41000-memory.dmp

      Filesize

      324KB

    • memory/4696-25-0x0000000010000000-0x0000000010154000-memory.dmp

      Filesize

      1.3MB

    • memory/4696-27-0x00000000032A0000-0x0000000003324000-memory.dmp

      Filesize

      528KB

    • memory/4696-26-0x0000000003330000-0x00000000033B7000-memory.dmp

      Filesize

      540KB

    • memory/4696-31-0x00000000033C0000-0x0000000003444000-memory.dmp

      Filesize

      528KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.