Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a9c2172254...a2.exe

windows7-x64

10

a9c2172254...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9c2172254f10dc583dd94a401b3fca2.exe

  • Size

    484KB

  • MD5

    a9c2172254f10dc583dd94a401b3fca2

  • SHA1

    63c31ede15a31901f8b47827e34a74aff5cedb25

  • SHA256

    327b66866a45b85df111f5d39514e2adbc986261037f6283cdd52d1814643679

  • SHA512

    392689725261e5f340ce498f63118650b5e2e79a52ee24b3214db320f876dd576f4a5fa7a001b76653c298d26b8494fa1f39770b0ed4c63548f1d224afb82140

  • SSDEEP

    12288:4oUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:i92ILECd0R15XZS3QafpDNUQ

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9c2172254f10dc583dd94a401b3fca2.exe
    "C:\Users\Admin\AppData\Local\Temp\a9c2172254f10dc583dd94a401b3fca2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Users\Admin\LB9c4j3K.exe
      C:\Users\Admin\LB9c4j3K.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\doeubil.exe
        "C:\Users\Admin\doeubil.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4104
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4832
    • C:\Users\Admin\bshost.exe
      C:\Users\Admin\bshost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3340
      • C:\Users\Admin\aahost.exe
        C:\Users\Admin\aahost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4068
      • C:\Users\Admin\dyhost.exe
        C:\Users\Admin\dyhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4468
      • C:\Users\Admin\ekhost.exe
        C:\Users\Admin\ekhost.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del a9c2172254f10dc583dd94a401b3fca2.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2096
    • C:\Windows\SysWOW64\tasklist.exe
      tasklist
      1⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3780
    • C:\Users\Admin\aahost.exe
      "C:\Users\Admin\aahost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2996
    • C:\Windows\SysWOW64\tasklist.exe
      tasklist
      1⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4248
    • C:\Windows\SysWOW64\tasklist.exe
      tasklist
      1⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4868

    Network

    • flag-us
      DNS
      2.136.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.136.104.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=3DC2C0EF6C0F6DAC001DD3106D286C35; domain=.bing.com; expires=Fri, 31-Jan-2025 19:20:06 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E282830864144B928ACF8A2243CBEBC4 Ref B: LON04EDGE0722 Ref C: 2024-01-07T19:20:06Z
      date: Sun, 07 Jan 2024 19:20:05 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3DC2C0EF6C0F6DAC001DD3106D286C35
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=1TViEADRJ0D1e9b-5lmkXZtn_QlUmT3iZ0-w8wmDuGU; domain=.bing.com; expires=Fri, 31-Jan-2025 19:20:06 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 2223B12EBD1843A09F6B4D3575951B0F Ref B: LON04EDGE0722 Ref C: 2024-01-07T19:20:06Z
      date: Sun, 07 Jan 2024 19:20:05 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3DC2C0EF6C0F6DAC001DD3106D286C35; MSPTC=1TViEADRJ0D1e9b-5lmkXZtn_QlUmT3iZ0-w8wmDuGU
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: EE359A6EE3164F3BBBF4221C70144792 Ref B: LON04EDGE0722 Ref C: 2024-01-07T19:20:06Z
      date: Sun, 07 Jan 2024 19:20:05 GMT
    • flag-us
      DNS
      23.177.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.177.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      67.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.179.17.96.in-addr.arpa
      IN PTR
      Response
      67.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-67deploystaticakamaitechnologiescom
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      205.47.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.47.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      59.128.231.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      59.128.231.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      59.128.231.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      59.128.231.4.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      elegantweddingdecor.com
      ekhost.exe
      Remote address:
      8.8.8.8:53
      Request
      elegantweddingdecor.com
      IN A
      Response
      elegantweddingdecor.com
      IN A
      66.49.203.74
    • flag-ca
      GET
      http://elegantweddingdecor.com/gal5.swf
      ekhost.exe
      Remote address:
      66.49.203.74:80
      Request
      GET /gal5.swf HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: elegantweddingdecor.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 07 Jan 2024 19:21:30 GMT
      Server: Apache/2.4.58 (cPanel) OpenSSL/1.1.1w mod_bwlimited/1.4
      X-Frame-Options: SAMEORIGIN
      Last-Modified: Sun, 05 Feb 2012 17:20:44 GMT
      ETag: "45078c4df-bf16b-4b83ac4127300"
      Accept-Ranges: bytes
      Content-Length: 782699
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-shockwave-flash
    • flag-us
      DNS
      140.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.71.91.104.in-addr.arpa
      IN PTR
      Response
      140.71.91.104.in-addr.arpa
      IN PTR
      a104-91-71-140deploystaticakamaitechnologiescom
    • flag-us
      DNS
      74.203.49.66.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.203.49.66.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      100.5.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      100.5.17.2.in-addr.arpa
      IN PTR
      Response
      100.5.17.2.in-addr.arpa
      IN PTR
      a2-17-5-100deploystaticakamaitechnologiescom
    • flag-us
      DNS
      100.5.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      100.5.17.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      119.110.54.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      119.110.54.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      60.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      60.179.17.96.in-addr.arpa
      IN PTR
      Response
      60.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-60deploystaticakamaitechnologiescom
    • flag-us
      DNS
      51.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      51.178.17.96.in-addr.arpa
      IN PTR
      Response
      51.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-51deploystaticakamaitechnologiescom
    • flag-us
      DNS
      63.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      63.179.17.96.in-addr.arpa
      IN PTR
      Response
      63.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-63deploystaticakamaitechnologiescom
    • flag-us
      DNS
      76.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      76.179.17.96.in-addr.arpa
      IN PTR
      Response
      76.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-76deploystaticakamaitechnologiescom
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.204.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.204.248.87.in-addr.arpa
      IN PTR
      Response
      0.204.248.87.in-addr.arpa
      IN PTR
      https-87-248-204-0lhrllnwnet
    • flag-us
      DNS
      134.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.71.91.104.in-addr.arpa
      IN PTR
      Response
      134.71.91.104.in-addr.arpa
      IN PTR
      a104-91-71-134deploystaticakamaitechnologiescom
    • flag-gb
      DNS
      Remote address:
      96.17.179.70:80
      Response
      HTTP/1.1 206 Partial Content
      Cache-Control: public, max-age=17280000
      Accept-Ranges: bytes
      X-AspNetMvc-Version: 5.2
      MS-CorrelationId: 109db4c0-4020-4910-9a33-b50fc482bfa5
      MS-RequestId: 15b02fe7-1fdd-411d-97bf-4acd8b288dfb
      MS-CV: JSoXw8DG40uXIcEU.1.0.2.1.1.0.0.20.1.1.6.1.1.1.0
      Content-Disposition: attachment; filename=Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__8wekyb3d8bbwe.Msix
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      X-Powered-By: ARR/3.0
      X-Powered-By: ASP.NET
      X-Azure-Ref-OriginShield: Ref A: 5FA6B13DFB4E4840971617AD80AFBDEF Ref B: MNZ221060607023 Ref C: 2023-03-15T18:24:31Z
      X-MSEdge-Ref: Ref A: A2AF8FDEBAA0471B8728CAB368EA24B9 Ref B: MEX30EDGE1207 Ref C: 2023-03-15T18:24:31Z
      Last-Modified: Wed, 15 Mar 2023 18:19:22 GMT
      ETag: "zz/eo+4uyTK7KXfTFIC318u927g="
      Date: Sun, 07 Jan 2024 19:21:48 GMT
      Content-Type: multipart/byteranges; boundary=6311D6B0A39E5CA4
      Connection: close
      X-CID: 2
      X-CCC: GB
    • flag-gb
      DNS
      Remote address:
      96.17.179.70:80
      Response
      HTTP/1.1 206 Partial Content
      Cache-Control: public, max-age=17280000
      Accept-Ranges: bytes
      X-AspNetMvc-Version: 5.2
      MS-CorrelationId: 109db4c0-4020-4910-9a33-b50fc482bfa5
      MS-RequestId: 15b02fe7-1fdd-411d-97bf-4acd8b288dfb
      MS-CV: JSoXw8DG40uXIcEU.1.0.2.1.1.0.0.20.1.1.6.1.1.1.0
      Content-Disposition: attachment; filename=Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__8wekyb3d8bbwe.Msix
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      X-Powered-By: ARR/3.0
      X-Powered-By: ASP.NET
      X-Azure-Ref-OriginShield: Ref A: 5FA6B13DFB4E4840971617AD80AFBDEF Ref B: MNZ221060607023 Ref C: 2023-03-15T18:24:31Z
      X-MSEdge-Ref: Ref A: A2AF8FDEBAA0471B8728CAB368EA24B9 Ref B: MEX30EDGE1207 Ref C: 2023-03-15T18:24:31Z
      Last-Modified: Wed, 15 Mar 2023 18:19:22 GMT
      ETag: "zz/eo+4uyTK7KXfTFIC318u927g="
      Date: Sun, 07 Jan 2024 19:21:49 GMT
      Content-Type: multipart/byteranges; boundary=6311D6B0A39E5CA4
      Connection: close
      X-CID: 2
      X-CCC: GB
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
      Response
      0.205.248.87.in-addr.arpa
      IN PTR
      https-87-248-205-0lgwllnwnet
    • flag-us
      DNS
      56.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.179.17.96.in-addr.arpa
      IN PTR
      Response
      56.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-56deploystaticakamaitechnologiescom
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      tls, http2
      2.1kB
       10.8kB
       24
      20

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204
    • 66.49.203.74:80
      http://elegantweddingdecor.com/gal5.swf
      http
      ekhost.exe
      9.9kB
       265.5kB
       193
      192

      HTTP Request

      GET http://elegantweddingdecor.com/gal5.swf

      HTTP Response

      200
    • 138.91.171.81:80
      46 B
       1
    • 96.17.179.70:80
      10.0kB
       202.5kB
       145
      146
    • 96.17.179.70:80
      6.4kB
       224.9kB
       113
      161
    • 96.17.179.70:80
      634 B
       11.9kB
       11
      10
    • 96.17.179.70:80
      18.2kB
       440.2kB
       272
      316
    • 96.17.179.70:80
      5.9kB
       226.3kB
       107
      163
    • 96.17.179.70:80
      12.4kB
       448.3kB
       232
      322
    • 96.17.179.70:80
      http
      4.3kB
       243.6kB
       93
      177

      HTTP Response

      206
    • 96.17.179.70:80
      http
      8.1kB
       221.8kB
       124
      159

      HTTP Response

      206
    • 204.79.197.200:443
      tse1.mm.bing.net
      52 B
       1
    • 204.79.197.200:443
      tse1.mm.bing.net
      52 B
       1
    • 204.79.197.200:443
      tse1.mm.bing.net
      52 B
       1
    • 204.79.197.200:443
      tse1.mm.bing.net
      52 B
       1
    • 204.79.197.200:443
      tse1.mm.bing.net
      https
      12.8kB
       348.8kB
       256
      255
    • 96.17.179.70:80
      782 B
       42.0kB
       17
      32
    • 96.17.179.70:80
      4.3kB
       230.4kB
       91
      165
    • 127.0.0.1:80
      bshost.exe
    • 127.0.0.1:80
      bshost.exe
    • 127.0.0.1:80
      bshost.exe
    • 104.91.71.134:80
    • 52.111.227.14:443
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 96.17.179.70:80
    • 8.8.8.8:53
      2.136.104.51.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      2.136.104.51.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       158 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      23.177.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.177.190.20.in-addr.arpa

    • 8.8.8.8:53
      67.179.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      67.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      205.47.74.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      205.47.74.20.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      216 B
       146 B
       3
      1

      DNS Request

      157.123.68.40.in-addr.arpa

      DNS Request

      157.123.68.40.in-addr.arpa

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      59.128.231.4.in-addr.arpa
      dns
      142 B
       157 B
       2
      1

      DNS Request

      59.128.231.4.in-addr.arpa

      DNS Request

      59.128.231.4.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      elegantweddingdecor.com
      dns
      ekhost.exe
      69 B
       85 B
       1
      1

      DNS Request

      elegantweddingdecor.com

      DNS Response

      66.49.203.74

    • 8.8.8.8:53
      140.71.91.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      140.71.91.104.in-addr.arpa

    • 8.8.8.8:53
      74.203.49.66.in-addr.arpa
      dns
      71 B
       138 B
       1
      1

      DNS Request

      74.203.49.66.in-addr.arpa

    • 8.8.8.8:53
      100.5.17.2.in-addr.arpa
      dns
      138 B
       131 B
       2
      1

      DNS Request

      100.5.17.2.in-addr.arpa

      DNS Request

      100.5.17.2.in-addr.arpa

    • 8.8.8.8:53
      119.110.54.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      119.110.54.20.in-addr.arpa

    • 8.8.8.8:53
      60.179.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      60.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      51.178.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      51.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      63.179.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      63.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      76.179.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      76.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      0.204.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.204.248.87.in-addr.arpa

    • 8.8.8.8:53
      134.71.91.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      134.71.91.104.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       173 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      0.205.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.205.248.87.in-addr.arpa

    • 8.8.8.8:53
      56.179.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      56.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\LB9c4j3K.exe
      Filesize

      212KB

      MD5

      fa0eb2a8b561ea9afc6a51709ff0d7de

      SHA1

      4ef5265f5b5bb1a4857e7668f132405c799da155

      SHA256

      99ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f

      SHA512

      0e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6

      Download Submit

    • C:\Users\Admin\aahost.exe
      Filesize

      140KB

      MD5

      93ea44e078cb0477614729636866a84b

      SHA1

      f9752413d48fd98a77cfce8fff04a7a0d72c26d8

      SHA256

      c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

      SHA512

      351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

      Download Submit

    • C:\Users\Admin\bshost.exe
      Filesize

      260KB

      MD5

      bbc0a2fe1284778896b57ffc5701aefa

      SHA1

      6b9a0106b82c63265936ce728a858d258c8f6b14

      SHA256

      92fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0

      SHA512

      8a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930

      Download Submit

    • C:\Users\Admin\doeubil.exe
      Filesize

      92KB

      MD5

      f73cc06fc318c10306dc37b07f626082

      SHA1

      d0d84fa9cdb8de721deda1c6393cd55caa69c2aa

      SHA256

      ad739922fe1c5eb02c260dccf9fde68a6db161c03c87edff84b6da3830fb4f52

      SHA512

      5f1a5fd75af30ca2a618176c98d59b25e0e87e37f1cd63373c825d09f1abd82c0e8fd0b3e59161fd0265e586c46a97ab5a70f554e8de52afa65131e1a820db7c

      Download Submit

    • C:\Users\Admin\doeubil.exe
      Filesize

      212KB

      MD5

      d022f5914846aa667b05a4e7cfcb1c90

      SHA1

      fe6e7dee23c4a28e6843ed9a28f516df272e9053

      SHA256

      95ae9b488b71cbbe77e0afc48c1e8670d8a8e50f01ab962666a33ded08656749

      SHA512

      35d9e5729da45995c5e2787b83d44ed33bb23117c16d9f7066564df5c688805c321739a01d0812e27fa572dd974145560acee22856a94db723ef133872663c82

      Download Submit

    • C:\Users\Admin\dyhost.exe
      Filesize

      48KB

      MD5

      d46eb4bf816ed9978636de7955245323

      SHA1

      c474df60a83302e0d010d11dcebd7cdb3cc22866

      SHA256

      2ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd

      SHA512

      e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef

      Download Submit

    • memory/2996-53-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2996-52-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2996-50-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2996-47-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3472-57-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3472-60-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3472-63-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3472-62-0x0000000000A60000-0x0000000000A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3472-61-0x0000000000A10000-0x0000000000A54000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3472-59-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3472-66-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3472-58-0x0000000000800000-0x0000000000801000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.