Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    178s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 06:41 UTC

General

  • Target

    4d9cfcc2918f88b3117c4a0f26993871.exe

  • Size

    115KB

  • MD5

    4d9cfcc2918f88b3117c4a0f26993871

  • SHA1

    62ad2cc7eee020573c9a03091c3ecace579d9b5f

  • SHA256

    5cd7eabb41b5074ed5643baedac594859105f232eb8af3603b67c04372354410

  • SHA512

    dcc4eb04e43c5792941bf5bd44d780c38694c1f73cbe80c52527f08d8e66a515e10eb02ef4ad30ad029f094b9fc7fddf40ec21a5a65de35aa23648039fe1eed7

  • SSDEEP

    3072:SKcWmjRrz3ZKcWmjRrz3Cd7t3jP2QECPw9b:hGyGCHcCPk

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d9cfcc2918f88b3117c4a0f26993871.exe
    "C:\Users\Admin\AppData\Local\Temp\4d9cfcc2918f88b3117c4a0f26993871.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\7T1hMOC0D60zb38.exe
      C:\Users\Admin\AppData\Local\Temp\7T1hMOC0D60zb38.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 816
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3144
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4556

Network

  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=24721524BE8662BD14850125BF3D6396; domain=.bing.com; expires=Sun, 02-Feb-2025 08:11:56 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 128C7082239B46FA8252625CB416D902 Ref B: LON04EDGE0920 Ref C: 2024-01-09T08:11:56Z
    date: Tue, 09 Jan 2024 08:11:55 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=24721524BE8662BD14850125BF3D6396
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=5Hl1CfBW1r5NDP29tYKO7MJG6LTWw5An0d53MbM1nQY; domain=.bing.com; expires=Sun, 02-Feb-2025 08:11:56 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B4CCA5FBE1584A2680FF5DD52A6DA1F5 Ref B: LON04EDGE0920 Ref C: 2024-01-09T08:11:56Z
    date: Tue, 09 Jan 2024 08:11:56 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=24721524BE8662BD14850125BF3D6396; MSPTC=5Hl1CfBW1r5NDP29tYKO7MJG6LTWw5An0d53MbM1nQY
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AAC2F598B654483296042FA8033AF222 Ref B: LON04EDGE0920 Ref C: 2024-01-09T08:11:56Z
    date: Tue, 09 Jan 2024 08:11:56 GMT
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.241.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.241.123.92.in-addr.arpa
    IN PTR
    Response
    104.241.123.92.in-addr.arpa
    IN PTR
    a92-123-241-104deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301613_1EA2C0C0DT61W8IZ8&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301613_1EA2C0C0DT61W8IZ8&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 303976
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2D9B813A4B134A7BAB373BE10B2EEF6F Ref B: LON04EDGE0921 Ref C: 2024-01-09T08:12:37Z
    date: Tue, 09 Jan 2024 08:12:36 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300998_1VQZSKOQ4GB7QD9KL&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317300998_1VQZSKOQ4GB7QD9KL&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 459590
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4FDCA6989B27497CBDE61EE0D1915D1C Ref B: LON04EDGE0921 Ref C: 2024-01-09T08:12:37Z
    date: Tue, 09 Jan 2024 08:12:36 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301094_1ZX0523MAABCARXR5&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301094_1ZX0523MAABCARXR5&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 311015
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 863E1E13B0CA44C0BB95137BA8398EA7 Ref B: LON04EDGE0921 Ref C: 2024-01-09T08:12:37Z
    date: Tue, 09 Jan 2024 08:12:36 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301431_1VDBP7BM4DABZY935&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301431_1VDBP7BM4DABZY935&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 248383
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BF792DA2EEC94F30A2EFE7C89803A565 Ref B: LON04EDGE0921 Ref C: 2024-01-09T08:12:37Z
    date: Tue, 09 Jan 2024 08:12:36 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301204_13RTRWWMWPI5PA61W&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301204_13RTRWWMWPI5PA61W&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 392590
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D11918F5FDC04F2BB685B0DC82163E90 Ref B: LON04EDGE0921 Ref C: 2024-01-09T08:12:37Z
    date: Tue, 09 Jan 2024 08:12:36 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301527_1R0WB31C7EYYSTJK4&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301527_1R0WB31C7EYYSTJK4&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    174.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.178.17.96.in-addr.arpa
    IN PTR
    Response
    174.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-174deploystaticakamaitechnologiescom
  • flag-us
    DNS
    42.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    42.134.221.88.in-addr.arpa
    IN PTR
    Response
    42.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-42deploystaticakamaitechnologiescom
  • flag-us
    DNS
    42.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    42.134.221.88.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    211.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.178.17.96.in-addr.arpa
    IN PTR
    Response
    211.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-211deploystaticakamaitechnologiescom
  • flag-us
    DNS
    139.136.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    139.136.73.23.in-addr.arpa
    IN PTR
    Response
    139.136.73.23.in-addr.arpa
    IN PTR
    a23-73-136-139deploystaticakamaitechnologiescom
  • flag-us
    DNS
    35.197.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.197.79.40.in-addr.arpa
    IN PTR
    Response
  • 20.231.121.79:80
    46 B
    1
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid=
    tls, http2
    2.3kB
    10.1kB
    24
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7905e99a7775433981d3b1bb5ecf8419&localId=w:63729BF2-40B5-0542-60A9-A222D854C0D2&deviceId=6896190262937755&anid=

    HTTP Response

    204
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    15
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301527_1R0WB31C7EYYSTJK4&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    41.8kB
    1.2MB
    860
    855

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301613_1EA2C0C0DT61W8IZ8&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300998_1VQZSKOQ4GB7QD9KL&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301094_1ZX0523MAABCARXR5&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301431_1VDBP7BM4DABZY935&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301204_13RTRWWMWPI5PA61W&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301527_1R0WB31C7EYYSTJK4&pid=21.2&w=1080&h=1920&c=4
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    15
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    83.177.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    83.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    158 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    104.241.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    104.241.123.92.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    174.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    174.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    42.134.221.88.in-addr.arpa
    dns
    144 B
    137 B
    2
    1

    DNS Request

    42.134.221.88.in-addr.arpa

    DNS Request

    42.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    211.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    211.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    139.136.73.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    139.136.73.23.in-addr.arpa

  • 8.8.8.8:53
    35.197.79.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    35.197.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    382KB

    MD5

    8292610621bd75ca684e7a001b4d129a

    SHA1

    175682e8f39409991880ffff1498eed47bc77ebd

    SHA256

    879f3ed326262db8a766a388aa174c7482a9267aebe7225cf9bb257eb22cdab0

    SHA512

    fbd82de1d4b323b1600eac9acf67a9b1f5259610d0af2535c99ceea189f5cf36872bda2e4eb6268f0ea246552fa2826dca3788b9aa3c4e0e622e6a5c43751bee

  • C:\Users\Admin\AppData\Local\Temp\7T1hMOC0D60zb38.exe

    Filesize

    56KB

    MD5

    e115521ba14b75f53dcdff087ec6898f

    SHA1

    87103a892bb514a93d485fba221bacb9da3aae25

    SHA256

    59b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29

    SHA512

    ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a

  • C:\Windows\CTS.exe

    Filesize

    59KB

    MD5

    5efd390d5f95c8191f5ac33c4db4b143

    SHA1

    42d81b118815361daa3007f1a40f1576e9a9e0bc

    SHA256

    6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

    SHA512

    720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

  • memory/2000-0-0x0000000000630000-0x0000000000647000-memory.dmp

    Filesize

    92KB

  • memory/2000-9-0x0000000000630000-0x0000000000647000-memory.dmp

    Filesize

    92KB

  • memory/2720-27-0x00007FFA88850000-0x00007FFA891F1000-memory.dmp

    Filesize

    9.6MB

  • memory/2720-28-0x00007FFA88850000-0x00007FFA891F1000-memory.dmp

    Filesize

    9.6MB

  • memory/2720-29-0x0000000000A90000-0x0000000000AA0000-memory.dmp

    Filesize

    64KB

  • memory/2720-39-0x00007FFA88850000-0x00007FFA891F1000-memory.dmp

    Filesize

    9.6MB

  • memory/4556-8-0x0000000000830000-0x0000000000847000-memory.dmp

    Filesize

    92KB

  • memory/4556-41-0x0000000000830000-0x0000000000847000-memory.dmp

    Filesize

    92KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.