3f8f3a8fd4ee2f1a9c8874a9f3e90d9d5a05169f3fd7da9dc5311685d68d9f74 | Triage

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:27 UTC

Sharing

Report Analysis Logs

General

Target

29fa128fdb68c4dd258f88f907dc865a.exe
Size

64KB
MD5

29fa128fdb68c4dd258f88f907dc865a
SHA1

c1e130c2b973aba2a187ccd8e473829a0eddad8b
SHA256

3f8f3a8fd4ee2f1a9c8874a9f3e90d9d5a05169f3fd7da9dc5311685d68d9f74
SHA512

063045f6dc6bf5a4cf3099aa20215d44bb4d3895de73c0b07a56ce00423024422d4302615b33536c7d36cf61093622c622d6715e4dab60f03b1d0594c284df9c
SSDEEP

1536:HxTDTC+THDx7XNIXAKAGMYf7NoPFSlj2:RTDTXTjxz2XAUf7N

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Windows security bypass 2 TTPs 5 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winlogon.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	29fa128fdb68c4dd258f88f907dc865a.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	winlogon.exe

Deletes itself 1 IoCs

pid	Process
3216	winlogon.exe

Executes dropped EXE 1 IoCs

pid	Process
3216	winlogon.exe

Windows security modification 2 TTPs 5 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winlogon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\winlogon.exe	29fa128fdb68c4dd258f88f907dc865a.exe
File created	C:\Windows\system\winlogon.exe	29fa128fdb68c4dd258f88f907dc865a.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\29fa128fdb68c4dd258f88f907dc865a.exe
"C:\Users\Admin\AppData\Local\Temp\29fa128fdb68c4dd258f88f907dc865a.exe"
1⤵
- Looks for VMWare Tools registry key
- Drops file in Windows directory
PID:996

C:\Windows\system\winlogon.exe
"C:\Windows\system\winlogon.exe"
1⤵
- Modifies security service
- Windows security bypass
- Looks for VMWare Tools registry key
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Modifies data under HKEY_USERS
PID:3216

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2E7C59D05D476D1621154A2A5CFC6C2A; domain=.bing.com; expires=Sun, 26-Jan-2025 08:02:02 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FE1D8E4210E54F3AAADD844DA5C8E9C9 Ref B: LON04EDGE0911 Ref C: 2024-01-02T08:02:02Z
date: Tue, 02 Jan 2024 08:02:02 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E7C59D05D476D1621154A2A5CFC6C2A

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=-9wX6x6egit4q2-pf02a1tbpn9pVG5NEettqBw5VZ_g; domain=.bing.com; expires=Sun, 26-Jan-2025 08:02:03 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EFD481F7B6584574AC19EA6620D85AF7 Ref B: LON04EDGE0911 Ref C: 2024-01-02T08:02:03Z
date: Tue, 02 Jan 2024 08:02:02 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E7C59D05D476D1621154A2A5CFC6C2A; MSPTC=-9wX6x6egit4q2-pf02a1tbpn9pVG5NEettqBw5VZ_g

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C42A43AA3B8F433B8BA08AE908303FDC Ref B: LON04EDGE0911 Ref C: 2024-01-02T08:02:03Z
date: Tue, 02 Jan 2024 08:02:02 GMT
DNS

20.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.177.190.20.in-addr.arpa

IN PTR

Response
DNS

20.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.177.190.20.in-addr.arpa

IN PTR
DNS

20.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.177.190.20.in-addr.arpa

IN PTR
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

google.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

172.217.169.78
GET

http://google.com/

winlogon.exe

Remote address:

172.217.169.78:80

Request

GET / HTTP/1.1
Host: google.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QvCQ-H5AREjT1D8P9SxVXg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Tue, 02 Jan 2024 08:02:04 GMT
Expires: Thu, 01 Feb 2024 08:02:04 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
DNS

www.google.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.200.4
GET

http://www.google.com/

winlogon.exe

Remote address:

142.250.200.4:80

Request

GET / HTTP/1.1
Cache-Control: no-cache
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 02 Jan 2024 08:02:05 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-OQ0AGz14FS9T9VgtRD1ouQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=Ackid1Rc9hzPHbbwor9mVdbDsI_-2LX3_ToUlLa1cp96ch4LFJCW6iN-UeU; expires=Sun, 30-Jun-2024 08:02:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

vsa.ipv1.info

winlogon.exe

Remote address:

8.8.8.8:53

Request

vsa.ipv1.info

IN A

Response

vsa.ipv1.info

IN CNAME

pixie.porkbun.com

pixie.porkbun.com

IN A

44.227.76.166

pixie.porkbun.com

IN A

44.227.65.245
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

78.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.169.217.172.in-addr.arpa

IN PTR

Response

78.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f141e100net
DNS

4.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.200.250.142.in-addr.arpa

IN PTR

Response

4.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f41e100net
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR
DNS

vsa.ipv1.info

winlogon.exe

Remote address:

8.8.8.8:53

Request

vsa.ipv1.info

IN A

Response

vsa.ipv1.info

IN CNAME

pixie.porkbun.com

pixie.porkbun.com

IN A

44.227.65.245

pixie.porkbun.com

IN A

44.227.76.166
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

178.223.142.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.223.142.52.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR
DNS

174.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.178.17.96.in-addr.arpa

IN PTR

Response

174.178.17.96.in-addr.arpa

IN PTR

a96-17-178-174deploystaticakamaitechnologiescom
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

32.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.134.221.88.in-addr.arpa

IN PTR

Response

32.134.221.88.in-addr.arpa

IN PTR

a88-221-134-32deploystaticakamaitechnologiescom
DNS

vsa.ipv1.info

winlogon.exe

Remote address:

8.8.8.8:53

Request

vsa.ipv1.info

IN A

Response

vsa.ipv1.info

IN CNAME

pixie.porkbun.com

pixie.porkbun.com

IN A

44.227.65.245

pixie.porkbun.com

IN A

44.227.76.166
DNS

vsa.ipv1.info

winlogon.exe

Remote address:

8.8.8.8:53

Request

vsa.ipv1.info

IN A
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR
DNS

25.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.73.42.20.in-addr.arpa

IN PTR
DNS

25.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.73.42.20.in-addr.arpa

IN PTR
DNS

vsa.ipv1.info

winlogon.exe

Remote address:

8.8.8.8:53

Request

vsa.ipv1.info

IN A

Response

vsa.ipv1.info

IN CNAME

pixie.porkbun.com

pixie.porkbun.com

IN A

44.227.76.166

pixie.porkbun.com

IN A

44.227.65.245
DNS

vsa.ipv1.info

winlogon.exe

Remote address:

8.8.8.8:53

Request

vsa.ipv1.info

IN A

52.142.223.178:80

208 B
4
204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

tls, http2

2.5kB
10.0kB
26
22

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=90a1d32b512c4b1f9afcb0ed0a7c493e&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

HTTP Response

204
172.217.169.78:80

http://google.com/

http

winlogon.exe

297 B
905 B
5
3

HTTP Request

GET http://google.com/

HTTP Response

301
142.250.200.4:80

http://www.google.com/

http

winlogon.exe

825 B
15.5kB
16
13

HTTP Request

GET http://www.google.com/

HTTP Response

200
44.227.76.166:19555

vsa.ipv1.info

winlogon.exe

260 B
5
44.227.65.245:19555

vsa.ipv1.info

winlogon.exe

260 B
5
44.227.65.245:19555

vsa.ipv1.info

winlogon.exe

208 B
4
96.17.178.174:80
96.17.178.174:80
96.17.178.174:80
96.17.178.174:80
96.17.178.174:80
52.111.229.43:443

tls

995 B
13.9kB
10
15
44.227.65.245:19555

vsa.ipv1.info

winlogon.exe

52 B
1
96.17.178.174:80
96.17.178.174:80
96.17.178.174:80
88.221.135.217:80
88.221.135.217:80
96.16.110.114:80
20.223.36.55:443
20.223.36.55:443
20.223.36.55:443
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.16.110.114:80
204.79.197.200:443
204.79.197.200:443
204.79.197.200:443
204.79.197.200:443
204.79.197.200:443

g.bing.com

17.6kB
512.9kB
372
371
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
44.227.76.166:19555

winlogon.exe
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
52.165.164.15:443
88.221.134.18:80
88.221.134.18:80
20.42.73.25:443

tls

198 B
1
44.227.76.166:19555

vsa.ipv1.info

winlogon.exe

52 B
1

8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

20.177.190.20.in-addr.arpa

dns

216 B
158 B
3
1

DNS Request

20.177.190.20.in-addr.arpa

DNS Request

20.177.190.20.in-addr.arpa

DNS Request

20.177.190.20.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

216 B
137 B
3
1

DNS Request

173.178.17.96.in-addr.arpa

DNS Request

173.178.17.96.in-addr.arpa

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

219 B
144 B
3
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

google.com

dns

winlogon.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

172.217.169.78
8.8.8.8:53

www.google.com

dns

winlogon.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.200.4
8.8.8.8:53

vsa.ipv1.info

dns

winlogon.exe

59 B
122 B
1
1

DNS Request

vsa.ipv1.info

DNS Response

44.227.76.166

44.227.65.245
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

78.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

78.169.217.172.in-addr.arpa
8.8.8.8:53

4.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.200.250.142.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

208.194.73.20.in-addr.arpa

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

vsa.ipv1.info

dns

winlogon.exe

59 B
122 B
1
1

DNS Request

vsa.ipv1.info

DNS Response

44.227.65.245

44.227.76.166
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

288 B
137 B
4
1

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

292 B
139 B
4
1

DNS Request

104.241.123.92.in-addr.arpa

DNS Request

104.241.123.92.in-addr.arpa

DNS Request

104.241.123.92.in-addr.arpa

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

213 B
157 B
3
1

DNS Request

2.136.104.51.in-addr.arpa

DNS Request

2.136.104.51.in-addr.arpa

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

178.223.142.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

178.223.142.52.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

217.135.221.88.in-addr.arpa

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

174.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

174.178.17.96.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

32.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

32.134.221.88.in-addr.arpa
8.8.8.8:53

vsa.ipv1.info

dns

winlogon.exe

118 B
122 B
2
1

DNS Request

vsa.ipv1.info

DNS Request

vsa.ipv1.info

DNS Response

44.227.65.245

44.227.76.166
8.8.8.8:53
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

25.73.42.20.in-addr.arpa

dns

140 B
2

DNS Request

25.73.42.20.in-addr.arpa

DNS Request

25.73.42.20.in-addr.arpa
8.8.8.8:53

vsa.ipv1.info

dns

winlogon.exe

118 B
122 B
2
1

DNS Request

vsa.ipv1.info

DNS Request

vsa.ipv1.info

DNS Response

44.227.76.166

44.227.65.245

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-0-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/996-6-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-5-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-7-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-10-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-14-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-16-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download
memory/3216-19-0x0000000000400000-0x0000000000977EB1-memory.dmp

Filesize
5.5MB

Download