Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 13:55
Static task
static1
General
-
Target
Installer (1).msi
-
Size
1.4MB
-
MD5
f3805cdf687890992345aaa4577b86a4
-
SHA1
697362f0a495bc1fc692f8bc3b12a81522404cc5
-
SHA256
514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1
-
SHA512
6ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142
-
SSDEEP
24576:jn0CgtRH3nOX1FIhp5DJ4suxNVTK+ucjByw+Z5cYokzJV+H4:T0LUItD0T9KjHJzJl
Malware Config
Signatures
-
Detect Pikabot payload 4 IoCs
Detect Pikabot payload.
resource yara_rule behavioral1/memory/3152-35-0x0000000000CF0000-0x0000000000D41000-memory.dmp family_pikabot_v2 behavioral1/memory/3152-36-0x0000000000CF0000-0x0000000000D41000-memory.dmp family_pikabot_v2 behavioral1/memory/3152-55-0x0000000000CF0000-0x0000000000D41000-memory.dmp family_pikabot_v2 behavioral1/memory/3152-56-0x0000000000CF0000-0x0000000000D41000-memory.dmp family_pikabot_v2 -
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
resource yara_rule behavioral1/memory/4696-27-0x00000000032A0000-0x0000000003324000-memory.dmp dave -
Loads dropped DLL 1 IoCs
pid Process 4696 MsiExec.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 7 3716 msiexec.exe 27 3716 msiexec.exe 33 3716 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4696 set thread context of 3152 4696 MsiExec.exe 107 -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{605EFFF1-5D07-4D5F-9103-B2CCA8BD82D1} msiexec.exe File opened for modification C:\Windows\Installer\MSIA901.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA922.tmp msiexec.exe File created C:\Windows\Installer\e57a829.msi msiexec.exe File created C:\Windows\Installer\e57a827.msi msiexec.exe File opened for modification C:\Windows\Installer\e57a827.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f3f59b11877f515c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f3f59b110000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f3f59b11000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df3f59b11000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f3f59b1100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2960 msiexec.exe 2960 msiexec.exe 3152 SearchProtocolHost.exe 3152 SearchProtocolHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 4696 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3716 msiexec.exe Token: SeIncreaseQuotaPrivilege 3716 msiexec.exe Token: SeSecurityPrivilege 2960 msiexec.exe Token: SeCreateTokenPrivilege 3716 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3716 msiexec.exe Token: SeLockMemoryPrivilege 3716 msiexec.exe Token: SeIncreaseQuotaPrivilege 3716 msiexec.exe Token: SeMachineAccountPrivilege 3716 msiexec.exe Token: SeTcbPrivilege 3716 msiexec.exe Token: SeSecurityPrivilege 3716 msiexec.exe Token: SeTakeOwnershipPrivilege 3716 msiexec.exe Token: SeLoadDriverPrivilege 3716 msiexec.exe Token: SeSystemProfilePrivilege 3716 msiexec.exe Token: SeSystemtimePrivilege 3716 msiexec.exe Token: SeProfSingleProcessPrivilege 3716 msiexec.exe Token: SeIncBasePriorityPrivilege 3716 msiexec.exe Token: SeCreatePagefilePrivilege 3716 msiexec.exe Token: SeCreatePermanentPrivilege 3716 msiexec.exe Token: SeBackupPrivilege 3716 msiexec.exe Token: SeRestorePrivilege 3716 msiexec.exe Token: SeShutdownPrivilege 3716 msiexec.exe Token: SeDebugPrivilege 3716 msiexec.exe Token: SeAuditPrivilege 3716 msiexec.exe Token: SeSystemEnvironmentPrivilege 3716 msiexec.exe Token: SeChangeNotifyPrivilege 3716 msiexec.exe Token: SeRemoteShutdownPrivilege 3716 msiexec.exe Token: SeUndockPrivilege 3716 msiexec.exe Token: SeSyncAgentPrivilege 3716 msiexec.exe Token: SeEnableDelegationPrivilege 3716 msiexec.exe Token: SeManageVolumePrivilege 3716 msiexec.exe Token: SeImpersonatePrivilege 3716 msiexec.exe Token: SeCreateGlobalPrivilege 3716 msiexec.exe Token: SeBackupPrivilege 3608 vssvc.exe Token: SeRestorePrivilege 3608 vssvc.exe Token: SeAuditPrivilege 3608 vssvc.exe Token: SeBackupPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3716 msiexec.exe 3716 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2008 2960 msiexec.exe 104 PID 2960 wrote to memory of 2008 2960 msiexec.exe 104 PID 2960 wrote to memory of 4696 2960 msiexec.exe 106 PID 2960 wrote to memory of 4696 2960 msiexec.exe 106 PID 2960 wrote to memory of 4696 2960 msiexec.exe 106 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 PID 4696 wrote to memory of 3152 4696 MsiExec.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3716
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2008
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AA8D9AF0C7AE7EE7E5E8B39DD740A0EE2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3608
Network
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcrls.ssl.comIN AResponsecrls.ssl.comIN A18.172.89.36crls.ssl.comIN A18.172.89.115crls.ssl.comIN A18.172.89.92crls.ssl.comIN A18.172.89.122
-
Remote address:8.8.8.8:53Requestcrls.ssl.comIN A
-
Remote address:8.8.8.8:53Request3.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request3.181.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request165.184.237.34.in-addr.arpaIN PTRResponse165.184.237.34.in-addr.arpaIN PTRec2-34-237-184-165 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request165.184.237.34.in-addr.arpaIN PTR
-
Remote address:18.172.89.36:80RequestGET /SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crls.ssl.com
ResponseHTTP/1.1 200 OK
Content-Length: 46720
Connection: keep-alive
Last-Modified: Thu, 28 Dec 2023 07:23:43 GMT
x-amz-server-side-encryption: AES256
Accept-Ranges: bytes
Server: AmazonS3
Date: Thu, 28 Dec 2023 13:54:02 GMT
Expires: Thu, 04 Jan 2024 07:14:17 GMT
ETag: "c9c41ef92b3985f2602706c78160945c"
X-Cache: Hit from cloudfront
Via: 1.1 4c91cb6d4a85f3aca5c056a81231821a.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: MAN51-P1
Alt-Svc: h3=":443"; ma=86400
X-Amz-Cf-Id: dRdHsn93q9s--zUJRSoid7epJycFqUD_15BFljSoM5CIup4oDy3uMQ==
Age: 158
-
Remote address:8.8.8.8:53Request36.89.172.18.in-addr.arpaIN PTRResponse36.89.172.18.in-addr.arpaIN PTRserver-18-172-89-36man51r cloudfrontnet
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request100.5.17.2.in-addr.arpaIN PTRResponse100.5.17.2.in-addr.arpaIN PTRa2-17-5-100deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.178.17.96.in-addr.arpaIN PTRResponse196.178.17.96.in-addr.arpaIN PTRa96-17-178-196deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request211.135.221.88.in-addr.arpaIN PTRResponse211.135.221.88.in-addr.arpaIN PTRa88-221-135-211deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request211.135.221.88.in-addr.arpaIN PTRResponse211.135.221.88.in-addr.arpaIN PTRa88-221-135-211deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request204.178.17.96.in-addr.arpaIN PTRResponse204.178.17.96.in-addr.arpaIN PTRa96-17-178-204deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request204.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301032_1O1TBR912QG5BWWX0&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301032_1O1TBR912QG5BWWX0&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 398619
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AFBFE08AAF684D378683C8B65491C5B0 Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
date: Thu, 28 Dec 2023 13:57:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300913_16JYUQS6WV9VSSWLA&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317300913_16JYUQS6WV9VSSWLA&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 187063
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1F2B82996B4E42168FA9992128F7DDB1 Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
date: Thu, 28 Dec 2023 13:57:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301686_1KALYYHQJEHUB35MQ&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301686_1KALYYHQJEHUB35MQ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 479673
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0B1C4BAC39A2495CB4ABEC7211066F6A Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
date: Thu, 28 Dec 2023 13:57:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301346_1HKPKYW01FIAQGRUY&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301346_1HKPKYW01FIAQGRUY&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 185856
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 494A6A27871D4E7E853546A346B76C9D Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
date: Thu, 28 Dec 2023 13:57:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 457679
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0C53F0CB5CB4461BA64B08B82BA531FA Ref B: LON04EDGE1214 Ref C: 2023-12-28T13:57:21Z
date: Thu, 28 Dec 2023 13:57:20 GMT
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request33.134.221.88.in-addr.arpaIN PTRResponse33.134.221.88.in-addr.arpaIN PTRa88-221-134-33deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request33.134.221.88.in-addr.arpaIN PTR
-
2.1kB 48.8kB 36 37
HTTP Request
GET http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crlHTTP Response
200 -
260 B 160 B 5 4
-
-
-
-
997 B 13.9kB 10 15
-
-
104 B 2
-
1.2kB 8.3kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4tls, http271.6kB 1.9MB 1417 1407
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301032_1O1TBR912QG5BWWX0&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300913_16JYUQS6WV9VSSWLA&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301686_1KALYYHQJEHUB35MQ&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301346_1HKPKYW01FIAQGRUY&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301277_1JYIIJ2WQ4YZYJI0A&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
2.1kB 8.2kB 19 13
-
1.5kB 8.2kB 17 13
-
2.1kB 9.6kB 20 14
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
20.177.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
116 B 122 B 2 1
DNS Request
crls.ssl.com
DNS Request
crls.ssl.com
DNS Response
18.172.89.3618.172.89.11518.172.89.9218.172.89.122
-
142 B 157 B 2 1
DNS Request
3.181.190.20.in-addr.arpa
DNS Request
3.181.190.20.in-addr.arpa
-
146 B 129 B 2 1
DNS Request
165.184.237.34.in-addr.arpa
DNS Request
165.184.237.34.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
36.89.172.18.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
208.194.73.20.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
100.5.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
119.110.54.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
196.178.17.96.in-addr.arpa
-
146 B 278 B 2 2
DNS Request
211.135.221.88.in-addr.arpa
DNS Request
211.135.221.88.in-addr.arpa
-
142 B 314 B 2 2
DNS Request
205.47.74.20.in-addr.arpa
DNS Request
205.47.74.20.in-addr.arpa
-
-
144 B 158 B 2 1
DNS Request
14.227.111.52.in-addr.arpa
DNS Request
14.227.111.52.in-addr.arpa
-
-
144 B 137 B 2 1
DNS Request
204.178.17.96.in-addr.arpa
DNS Request
204.178.17.96.in-addr.arpa
-
124 B 346 B 2 2
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
DNS Response
204.79.197.20013.107.21.200
-
142 B 314 B 2 2
DNS Request
55.36.223.20.in-addr.arpa
DNS Request
55.36.223.20.in-addr.arpa
-
146 B 212 B 2 2
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa
-
144 B 137 B 2 1
DNS Request
33.134.221.88.in-addr.arpa
DNS Request
33.134.221.88.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD558d3f3fddc96f7fbe8c906a207c16e3f
SHA1fdf4d2162d2c5b96e63fc282f267789ce0a0e455
SHA256c5370295ed5f94933ff0a250688f56cf68daa819562bbdbf4c8556c71d345bc5
SHA5125eef66e641c5276a24daa81cccc28c0850f8f7343ac99e479bbc62fb410c2835a4088f2f735323b974c538a9a589727d0f4d0009617c0e9548f6d4c5c02f3eb7
-
Filesize
45KB
MD5c9c41ef92b3985f2602706c78160945c
SHA175e94e9f9aee0ab17b96a612c0da6fef788eeb99
SHA256a177cd84c26e52a824b925dcff802f9c57fb7b7aa12877d1eef572210367f64f
SHA512302a05eb03d6a718ab7b58e1807ddc8efa102440e3db7d76396244b53f1ead4d934dd1e8ed999d0d65c760479276820a0694b8a35c56808f3ed0c860432eaa76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize727B
MD57a3b8457313a521e0d44f91765a4e041
SHA14ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267
SHA2562b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c
SHA5127349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize314B
MD577cfcc97dbfb1a7c5c04fac72189521c
SHA1c037b6e63b3dab3fec940a6872ad59dc8f420581
SHA256b33f8dc77988beb2deb735de244cf37c3840e9c715754b8a2503c0014b3c19e5
SHA512a4ef4fc15839ef241993f167bb68479e3d465ae6a26c8285a2acaf8059813216583aa265c0b185f5cece39b2ac50cb31ae1ed9ee615a0fcd816984093441a07f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize478B
MD5628188d5d3ec1fb861abafe11044d5a3
SHA19205d9aee14bb3dfc01c3b3a7e5d2e1dad9e61c0
SHA2561b2547e7afd3d842b3cd5d14979675b85db92b75c39c33c276145efdef2e3d90
SHA5128c9f2e2feeee5e190065219c132d04da1365991ca38b82dae1cbea3e8b5d8af4a53c6022d1fc3ffe593a425d2c823c014dce20ac6ad1f3541245b4763647bec4
-
Filesize
832KB
MD57e5ab6a503580519314c91cc467a1f05
SHA1d869593bbdb597cc84d40bcae3a71b7d7f638d01
SHA256619edc1fe110b4ea89493d1ead9d6b5bf0851fe0fb1e93dba1dfabdf68326328
SHA5129c4dbab75ea2dee7e32b14372416621cb14cb865c6dc5ada97062d1a38cd48fb917c53dfd19b50aaf2342fd2effab418e69cf081fb19ab9e0628b15ad978c0fe
-
Filesize
768KB
MD5f087631fbf8f8b9b4bcf91ff6a78c813
SHA171966d01bebba4f501f23c840c73691d1d52abe2
SHA25673bc090115ceb5ef4c2a339d96cf9ea175d4acfefca20d82d26f24cc6609ef18
SHA5121f4c3244e6eedebf4560aa96860eaea9a2ad059bc1fdc62047e82ada6439f888da5cfdb2f3a6deb0284a3a3a129e5ba733886b87c0c46e39198f86b12e3db779
-
Filesize
1.4MB
MD5f3805cdf687890992345aaa4577b86a4
SHA1697362f0a495bc1fc692f8bc3b12a81522404cc5
SHA256514a0ef6240663664b3a3e06dabdb297841a7e37eaeac65bafbce1efd456a7e1
SHA5126ad1f3ccbbb47e6599548946bca269b4313ffac918516e8ba4bd00dfb078c0dd166d7fac1289eaeb6697e75c8fc20ecd48632914c15dbe10c642fd98f40f6142
-
Filesize
1.3MB
MD5db8eb37668277641eb11b24df2071150
SHA1bde78696435d15ff753cb966865f18309d7c5360
SHA256e4291b2aefaee60128b44d204735e382d43d1dc01ae6c4b9ce9f05e11e71fe96
SHA5129470adbb857222716b30143f4b12471a7c2c71e08a04b2f67dfbcf3609a0db3f4f228402b883cdda76fab3bc6d99bb31710ac0ce51e103f6c167f6466e6cb2b1
-
\??\Volume{119bf5f3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dfb9a67c-fba7-408f-bf8f-565ba353218a}_OnDiskSnapshotProp
Filesize6KB
MD537a7e4dc75f9671638b5982da0638d36
SHA1488606e5222b1fb1ddf61d1757ccf0c62384dedf
SHA2568af5b892922cd87b844b375d955d7c027e580e93381c14f6f2a3aa1b85188ce9
SHA5122f881487a7407fb150c349e98154b73ab6a0517242775d0a47609ad5c5cd5a29dd6dab4da695424ed16d969db50cc51b7397f88cdc0974573b85c50f9a686148