Overview

overview

10

Static

static

3

f5ab115821...20.exe

windows7-x64

10

f5ab115821...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2024, 01:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe

  • Size

    900KB

  • MD5

    41cdecbfc109b4aa4d24d01928711bcc

  • SHA1

    b66575de665f14bb4d526c59072ae8741d16c695

  • SHA256

    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020

  • SHA512

    e1d20053d60ca2530a95506f9fb8e11c0ab81761784ec3919cee5c1f75a50271b1eb0fb775ed40e0afdb2d45184bef778c8faf2c28b733f86bf190ca61432c96

  • SSDEEP

    12288:C/31uTMGUdLPpXpZ1/9wg3NMEe1I/NcfmAdsp163LDtIng5i7n8pkPAjLk:HUdLPl1/n03Zw16bDtRw85Lk

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    shared167.accountservergroup.com
  • Port:
    587
  • Username:
    dtker@deconbrio.com
  • Password:
    Smartooo@123#

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    shared167.accountservergroup.com
  • Port:
    587
  • Username:
    dtker@deconbrio.com
  • Password:
    Smartooo@123#
  • Email To:
    dtker@deconbrio.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    "C:\Users\Admin\AppData\Local\Temp\f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zHGPKZuJI.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4080
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zHGPKZuJI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85F9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3836
    • C:\Users\Admin\AppData\Local\Temp\f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
      "C:\Users\Admin\AppData\Local\Temp\f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1AE58E763D5C62A618FD9A363CBC6352; domain=.bing.com; expires=Sun, 06-Apr-2025 01:59:43 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D3E8E109F9ED47899CB957D287B5121E Ref B: LON04EDGE1111 Ref C: 2024-03-12T01:59:43Z
    date: Tue, 12 Mar 2024 01:59:43 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1AE58E763D5C62A618FD9A363CBC6352
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=gi5Uod6zlCXMBUG-oa4r4LKhfgW_KoMhXTdTB8idK6A; domain=.bing.com; expires=Sun, 06-Apr-2025 01:59:44 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CC10697CE59645C9B734ADD8DA261EC0 Ref B: LON04EDGE1111 Ref C: 2024-03-12T01:59:44Z
    date: Tue, 12 Mar 2024 01:59:43 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1AE58E763D5C62A618FD9A363CBC6352; MSPTC=gi5Uod6zlCXMBUG-oa4r4LKhfgW_KoMhXTdTB8idK6A
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 24B51E58EDA644D7BBC51EC0B5C0C146 Ref B: LON04EDGE1111 Ref C: 2024-03-12T01:59:44Z
    date: Tue, 12 Mar 2024 01:59:43 GMT
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ip-api.com
    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 12 Mar 2024 02:00:05 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    104.241.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.241.123.92.in-addr.arpa
    IN PTR
    Response
    104.241.123.92.in-addr.arpa
    IN PTR
    a92-123-241-104deploystaticakamaitechnologiescom
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    shared167.accountservergroup.com
    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    Remote address:
    8.8.8.8:53
    Request
    shared167.accountservergroup.com
    IN A
    Response
    shared167.accountservergroup.com
    IN A
    143.95.156.49
  • flag-us
    DNS
    49.156.95.143.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    49.156.95.143.in-addr.arpa
    IN PTR
    Response
    49.156.95.143.in-addr.arpa
    IN PTR
    ip-143-95-156-49iplocal
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    176.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.178.17.96.in-addr.arpa
    IN PTR
    Response
    176.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-176deploystaticakamaitechnologiescom
  • flag-us
    DNS
    211.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.135.221.88.in-addr.arpa
    IN PTR
    Response
    211.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-211deploystaticakamaitechnologiescom
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 295842
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 19AC8DB09D634065B22B4945591E99FA Ref B: LON04EDGE1115 Ref C: 2024-03-12T02:01:19Z
    date: Tue, 12 Mar 2024 02:01:18 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 182865
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 98EF0FACF8914BF29EDDBF37A04B74A9 Ref B: LON04EDGE1115 Ref C: 2024-03-12T02:01:19Z
    date: Tue, 12 Mar 2024 02:01:18 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301601_1XLI7BR2VR1H1YJXB&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301601_1XLI7BR2VR1H1YJXB&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 276068
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 56111C1B139C4CEEA70BE5D574DCDD7A Ref B: LON04EDGE1115 Ref C: 2024-03-12T02:01:19Z
    date: Tue, 12 Mar 2024 02:01:18 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301192_1O6NEWTZHCNXAKIDN&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301192_1O6NEWTZHCNXAKIDN&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 169683
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5F8E0D8D73DC450D92C2F0D5D8F47909 Ref B: LON04EDGE1115 Ref C: 2024-03-12T02:01:19Z
    date: Tue, 12 Mar 2024 02:01:18 GMT
  • flag-us
    DNS
    88.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.65.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.65.42.20.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=
    tls, http2
    2.6kB
     9.1kB
     23
    16

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9b38ec15aba41a094fea48f31b58d50&localId=w:2A4A5216-14B0-E8AC-6F68-A550B400FC9F&deviceId=6825825927701325&anid=

    HTTP Response

    204
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    316 B
     307 B
     5
    3

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 143.95.156.49:587
    shared167.accountservergroup.com
    smtp-submission
    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    4.3kB
     7.4kB
     27
    24
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301192_1O6NEWTZHCNXAKIDN&pid=21.2&w=1920&h=1080&c=4
    tls, http2
    36.3kB
     964.6kB
     712
    710

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301601_1XLI7BR2VR1H1YJXB&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301192_1O6NEWTZHCNXAKIDN&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 8.8.8.8:53
    g.bing.com
    dns
    112 B
     158 B
     2
    1

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    142 B
     135 B
     2
    1

    DNS Request

    41.110.16.96.in-addr.arpa

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    104.241.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    104.241.123.92.in-addr.arpa

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
     95 B
     1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
    shared167.accountservergroup.com
    dns
    f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe
    78 B
     94 B
     1
    1

    DNS Request

    shared167.accountservergroup.com

    DNS Response

    143.95.156.49

  • 8.8.8.8:53
    49.156.95.143.in-addr.arpa
    dns
    72 B
     110 B
     1
    1

    DNS Request

    49.156.95.143.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    176.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    176.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    211.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    211.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    146 B
     278 B
     2
    2

    DNS Request

    217.135.221.88.in-addr.arpa

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    146 B
     288 B
     2
    2

    DNS Request

    240.221.184.93.in-addr.arpa

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    144 B
     316 B
     2
    2

    DNS Request

    30.243.111.52.in-addr.arpa

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    124 B
     346 B
     2
    2

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    88.65.42.20.in-addr.arpa
    dns
    140 B
     312 B
     2
    2

    DNS Request

    88.65.42.20.in-addr.arpa

    DNS Request

    88.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f5ab115821d29f1d0825081266b7b89d63679200322b2568413577023a84a020.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4gnjaiux.vai.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp85F9.tmp
    Filesize

    1KB

    MD5

    66907046863beb9a60117f804b154257

    SHA1

    9d5d014cc2e8999ed6e8a6cf70519e734783f18b

    SHA256

    7de9323e3774b0297b7a152e605f33e1842b7653c2eccf5adc36d2571baca9a0

    SHA512

    9687e71652b375737552605572779def341b10c01f780fbab5bd9df64783a50f8974c464157e964a9b5df093de19c32c1ddab8090de1107ea5e2a873e0458f1c

    Download Submit

  • memory/64-4-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/64-10-0x000000000ACF0000-0x000000000AD8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/64-5-0x00000000055B0000-0x00000000055BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/64-6-0x00000000085E0000-0x00000000085FC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/64-7-0x0000000006730000-0x000000000673C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/64-8-0x0000000006740000-0x000000000674E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/64-9-0x0000000008600000-0x0000000008684000-memory.dmp

    Filesize

    528KB

    Download

  • memory/64-3-0x00000000054C0000-0x0000000005552000-memory.dmp

    Filesize

    584KB

    Download

  • memory/64-15-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/64-2-0x0000000005A70000-0x0000000006014000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/64-1-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/64-16-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/64-0-0x00000000009C0000-0x0000000000AA6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/64-27-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2308-34-0x00000000054A0000-0x0000000005506000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2308-71-0x00000000069B0000-0x0000000006A00000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2308-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2308-73-0x0000000001870000-0x0000000001880000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2308-26-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2308-72-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2308-28-0x0000000001870000-0x0000000001880000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4080-44-0x000000007F620000-0x000000007F630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4080-59-0x00000000081A0000-0x000000000881A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4080-17-0x0000000002F20000-0x0000000002F56000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4080-40-0x00000000062C0000-0x0000000006326000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4080-41-0x00000000064D0000-0x0000000006824000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4080-42-0x0000000006830000-0x000000000684E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4080-43-0x00000000068E0000-0x000000000692C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4080-45-0x0000000006E00000-0x0000000006E32000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4080-54-0x0000000002F60000-0x0000000002F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4080-46-0x00000000710F0000-0x000000007113C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4080-22-0x0000000002F60000-0x0000000002F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4080-57-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4080-58-0x0000000007810000-0x00000000078B3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4080-19-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4080-60-0x0000000007B60000-0x0000000007B7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4080-61-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4080-62-0x0000000007DE0000-0x0000000007E76000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4080-63-0x0000000007D60000-0x0000000007D71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4080-64-0x0000000007D90000-0x0000000007D9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4080-65-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4080-66-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4080-67-0x0000000007E80000-0x0000000007E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4080-70-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4080-35-0x00000000059C0000-0x00000000059E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4080-20-0x0000000005A20000-0x0000000006048000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4080-21-0x0000000002F60000-0x0000000002F70000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.