Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

SHIPPING DOC.exe

windows7-x64

10

SHIPPING DOC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 13:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHIPPING DOC.exe

  • Size

    811KB

  • MD5

    a53510c8abfed32dfb6f0765de3faf7b

  • SHA1

    3ea41317b78988a213ce66656b2b2d417ea3626e

  • SHA256

    4b39adbf8d3a4e2a5793014b4af4a4cb98d3a71c4a565dd20dc3a69928a84c72

  • SHA512

    dbc9dfafb9dde32184060fd67c86df178f5eaf9365a5193ca2154d2889ed339cc4a585c929f9b9ba183a0a2bc2e40ca05c727a55b43ce260aca4b0c6987cfd30

  • SSDEEP

    12288:ICsL4MhHwgG3htgIV3ZTVBWzfrBjnuWcD5UWoljR8J7HYXWG91EzJGU600qvDKhc:wo7fwluheWoljRqH1zJGprhvfg

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.elec-qatar.com
  • Port:
    587
  • Username:
    mohammed.abrar@elec-qatar.com
  • Password:
    MHabrar2019@#

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.elec-qatar.com
  • Port:
    587
  • Username:
    mohammed.abrar@elec-qatar.com
  • Password:
    MHabrar2019@#
  • Email To:
    jinhux31@gmail.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe
    "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe
      "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1384

Network

  • flag-us
    DNS
    4.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.178.17.96.in-addr.arpa
    IN PTR
    Response
    200.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-200deploystaticakamaitechnologiescom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0CA0ED9E7C8362DA1AB5F9DF7D63630E; domain=.bing.com; expires=Mon, 07-Apr-2025 13:11:05 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 365C29AB1E044C9A86FB80FB3E503025 Ref B: LON04EDGE1120 Ref C: 2024-03-13T13:11:05Z
    date: Wed, 13 Mar 2024 13:11:05 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0CA0ED9E7C8362DA1AB5F9DF7D63630E
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=r1UCOrqk9wlkLRiVwVM70gFkftDnFOoKRMQaZ61CjtI; domain=.bing.com; expires=Mon, 07-Apr-2025 13:11:05 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5B9F0AE5080A493AACB471F58665453A Ref B: LON04EDGE1120 Ref C: 2024-03-13T13:11:05Z
    date: Wed, 13 Mar 2024 13:11:05 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0CA0ED9E7C8362DA1AB5F9DF7D63630E; MSPTC=r1UCOrqk9wlkLRiVwVM70gFkftDnFOoKRMQaZ61CjtI
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E97613B502344EECBBAA7D420EA50A7E Ref B: LON04EDGE1120 Ref C: 2024-03-13T13:11:05Z
    date: Wed, 13 Mar 2024 13:11:05 GMT
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.5.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.5.17.2.in-addr.arpa
    IN PTR
    Response
    100.5.17.2.in-addr.arpa
    IN PTR
    a2-17-5-100deploystaticakamaitechnologiescom
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mail.elec-qatar.com
    SHIPPING DOC.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.elec-qatar.com
    IN A
    Response
    mail.elec-qatar.com
    IN A
    50.87.139.143
  • flag-us
    DNS
    143.139.87.50.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    143.139.87.50.in-addr.arpa
    IN PTR
    Response
    143.139.87.50.in-addr.arpa
    IN PTR
    box2248bluehostcom
  • flag-us
    DNS
    28.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.160.77.104.in-addr.arpa
    IN PTR
    Response
    28.160.77.104.in-addr.arpa
    IN PTR
    a104-77-160-28deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.171.91.138.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.171.91.138.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.179.17.96.in-addr.arpa
    IN PTR
    Response
    83.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.160.77.104.in-addr.arpa
    IN PTR
    Response
    23.160.77.104.in-addr.arpa
    IN PTR
    a104-77-160-23deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.160.77.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    55.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.179.17.96.in-addr.arpa
    IN PTR
    Response
    55.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-55deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.179.17.96.in-addr.arpa
    IN PTR
    Response
    55.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-55deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 405726
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 493A2AE452FB4D47B15D995DC751ED24 Ref B: LON04EDGE0814 Ref C: 2024-03-13T13:12:44Z
    date: Wed, 13 Mar 2024 13:12:43 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301701_11UGRWY4Y5ZEF3873&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301701_11UGRWY4Y5ZEF3873&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 220516
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BB0D51F31F444CACB6D6777367F4573D Ref B: LON04EDGE0814 Ref C: 2024-03-13T13:12:44Z
    date: Wed, 13 Mar 2024 13:12:43 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 242979
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 84CE35A789854025BB960BCC6F32D77C Ref B: LON04EDGE0814 Ref C: 2024-03-13T13:12:44Z
    date: Wed, 13 Mar 2024 13:12:43 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301292_1GDVMD25ARDBL3246&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301292_1GDVMD25ARDBL3246&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 384492
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7EFEB2C151A5478EA9558F574B9E2765 Ref B: LON04EDGE0814 Ref C: 2024-03-13T13:12:44Z
    date: Wed, 13 Mar 2024 13:12:43 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 167585
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2048227E3F914301A46D915C6C0821AA Ref B: LON04EDGE0814 Ref C: 2024-03-13T13:12:44Z
    date: Wed, 13 Mar 2024 13:12:43 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 286847
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BA5DEEC1EA7B4F8B8AB0B2C0D2E9D00F Ref B: LON04EDGE0814 Ref C: 2024-03-13T13:12:45Z
    date: Wed, 13 Mar 2024 13:12:44 GMT
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    195.201.50.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    195.201.50.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    195.201.50.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    195.201.50.20.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=
    tls, http2
    2.0kB
     9.2kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=86beb1bbe4ec4fdcb9f18781dfe6b863&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

    HTTP Response

    204
  • 50.87.139.143:587
    mail.elec-qatar.com
    smtp-submission
    SHIPPING DOC.exe
    1.9kB
     1.3kB
     16
    18
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&w=1920&h=1080&c=4
    tls, http2
    62.4kB
     1.8MB
     1306
    1302

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301701_11UGRWY4Y5ZEF3873&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301292_1GDVMD25ARDBL3246&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.1kB
     16
    14
  • 8.8.8.8:53
    4.181.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    200.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    200.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     158 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    100.5.17.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    100.5.17.2.in-addr.arpa

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
    mail.elec-qatar.com
    dns
    SHIPPING DOC.exe
    65 B
     81 B
     1
    1

    DNS Request

    mail.elec-qatar.com

    DNS Response

    50.87.139.143

  • 8.8.8.8:53
    143.139.87.50.in-addr.arpa
    dns
    72 B
     106 B
     1
    1

    DNS Request

    143.139.87.50.in-addr.arpa

  • 8.8.8.8:53
    28.160.77.104.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    28.160.77.104.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    81.171.91.138.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    81.171.91.138.in-addr.arpa

  • 8.8.8.8:53
    83.179.17.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    83.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    23.160.77.104.in-addr.arpa
    dns
    144 B
     137 B
     2
    1

    DNS Request

    23.160.77.104.in-addr.arpa

    DNS Request

    23.160.77.104.in-addr.arpa

  • 8.8.8.8:53
    55.179.17.96.in-addr.arpa
    dns
    142 B
     270 B
     2
    2

    DNS Request

    55.179.17.96.in-addr.arpa

    DNS Request

    55.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    142 B
     314 B
     2
    2

    DNS Request

    26.35.223.20.in-addr.arpa

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    144 B
     316 B
     2
    2

    DNS Request

    29.243.111.52.in-addr.arpa

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    124 B
     346 B
     2
    2

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    144 B
     316 B
     2
    2

    DNS Request

    88.156.103.20.in-addr.arpa

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    195.201.50.20.in-addr.arpa
    dns
    144 B
     316 B
     2
    2

    DNS Request

    195.201.50.20.in-addr.arpa

    DNS Request

    195.201.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SHIPPING DOC.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • memory/1384-10-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1384-19-0x00000000028B0000-0x00000000028C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1384-18-0x0000000075170000-0x0000000075920000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1384-17-0x0000000005C90000-0x0000000005CE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1384-16-0x0000000004FC0000-0x0000000005026000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1384-15-0x00000000028B0000-0x00000000028C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1384-13-0x0000000075170000-0x0000000075920000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3668-4-0x0000000004C20000-0x0000000004C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3668-9-0x0000000007E10000-0x0000000007EAC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3668-8-0x00000000058C0000-0x000000000595E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/3668-7-0x0000000004D20000-0x0000000004D2E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3668-6-0x0000000004C00000-0x0000000004C12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3668-14-0x0000000075170000-0x0000000075920000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3668-5-0x0000000004B80000-0x0000000004B8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3668-1-0x0000000075170000-0x0000000075920000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3668-3-0x0000000004AC0000-0x0000000004B52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3668-2-0x0000000004FD0000-0x0000000005574000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3668-0-0x0000000000010000-0x00000000000E0000-memory.dmp

    Filesize

    832KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.