Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 00:18 UTC
Static task
static1
Behavioral task
behavioral1
Sample
b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe
Resource
win10v2004-20240412-en
General
-
Target
b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe
-
Size
26KB
-
MD5
7cbf4232c6051cd8df6c85c2778bbd09
-
SHA1
c395b7742e98a95e1f868f53f5c5f9e135b0d06d
-
SHA256
b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0
-
SHA512
3e27bfd80c314d90eda5c395904bbe9a03a8ed374b995c6433ef8ea7b0d2762f98171f531b95f1152646f05beebfcb972e014c6d5f2b07015887e8da3c360894
-
SSDEEP
768:Sa1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLC:VfgLdQAQfcfymNu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3156 Logo1_.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreRating\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe 3156 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3400 wrote to memory of 1684 3400 b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe 85 PID 3400 wrote to memory of 1684 3400 b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe 85 PID 3400 wrote to memory of 1684 3400 b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe 85 PID 3400 wrote to memory of 3156 3400 b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe 86 PID 3400 wrote to memory of 3156 3400 b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe 86 PID 3400 wrote to memory of 3156 3400 b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe 86 PID 3156 wrote to memory of 3576 3156 Logo1_.exe 87 PID 3156 wrote to memory of 3576 3156 Logo1_.exe 87 PID 3156 wrote to memory of 3576 3156 Logo1_.exe 87 PID 3576 wrote to memory of 3432 3576 net.exe 90 PID 3576 wrote to memory of 3432 3576 net.exe 90 PID 3576 wrote to memory of 3432 3576 net.exe 90 PID 3156 wrote to memory of 3592 3156 Logo1_.exe 57 PID 3156 wrote to memory of 3592 3156 Logo1_.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe"C:\Users\Admin\AppData\Local\Temp\b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a33A3.bat3⤵PID:1684
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3432
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request144.107.17.2.in-addr.arpaIN PTRResponse144.107.17.2.in-addr.arpaIN PTRa2-17-107-144deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2D52EF8EEA9A64D10AA2FBE8EB7A65F9; domain=.bing.com; expires=Wed, 14-May-2025 00:18:18 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C8031F320C494D5FB8ED6E5F49AD0DA6 Ref B: LON04EDGE1214 Ref C: 2024-04-19T00:18:18Z
date: Fri, 19 Apr 2024 00:18:18 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2D52EF8EEA9A64D10AA2FBE8EB7A65F9
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=jJv5OHFqzTp1YLdSINK5Ww06qZCUfpvbrZRSJtbm9F8; domain=.bing.com; expires=Wed, 14-May-2025 00:18:18 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C85F39AC65974BB5B6BE549AC1921177 Ref B: LON04EDGE1214 Ref C: 2024-04-19T00:18:18Z
date: Fri, 19 Apr 2024 00:18:18 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2D52EF8EEA9A64D10AA2FBE8EB7A65F9; MSPTC=jJv5OHFqzTp1YLdSINK5Ww06qZCUfpvbrZRSJtbm9F8
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FBD356777DF74B9D87E9CFE26E2B7A84 Ref B: LON04EDGE1214 Ref C: 2024-04-19T00:18:18Z
date: Fri, 19 Apr 2024 00:18:18 GMT
-
Remote address:8.8.8.8:53Request156.33.209.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request132.250.30.184.in-addr.arpaIN PTRResponse132.250.30.184.in-addr.arpaIN PTRa184-30-250-132deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request130.118.77.104.in-addr.arpaIN PTRResponse130.118.77.104.in-addr.arpaIN PTRa104-77-118-130deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request38.117.19.2.in-addr.arpaIN PTRResponse38.117.19.2.in-addr.arpaIN PTRa2-19-117-38deploystaticakamaitechnologiescom
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=tls, http22.0kB 9.2kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=HTTP Response
204
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
144.107.17.2.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
71 B 157 B 1 1
DNS Request
156.33.209.4.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
132.250.30.184.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
130.118.77.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
38.117.19.2.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD58763dd1e5a4d9a5e14aaac162f8010f2
SHA1b3a1ef6416daeb9dadcf5dadd8fb541b724cbc71
SHA256a12aa0944df5ca9d29f5af6c2a94b7923153e754ae714e3f6ab5776de277ade6
SHA5126fc613191309cfff8eef7db9bf990ed7d28f160384a0629b519a326a650f6f16dbb5a49705931b5ed7ebc719044f6360d4efa2dd5f4b69eec6d01386c5b3c167
-
Filesize
570KB
MD5f9cc9ae17d368f8d0e728a90ada03a0c
SHA160d6d21dca7fe3e657bad276ad951d3dcccd68b5
SHA256601f6a14f956580a3c59ad6cd2537995fcd89a9920f4bc02c9a5d3cd41b25930
SHA5129abd366ce5faad5c3a289f646fe02432ad5d3cf763ca50eee2517e0c4bb76e6198db9633eaedd8bfa944384bd95fb1c758684587a2f1b6801acc8d2607987ccf
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD54ddff8bc9eafaade64680ddab72d8e2a
SHA14d4d627b48da81889326a590836c54580fd1e894
SHA25609cbba1aaa7d71a9a67885b28519d5f07bab6502910595cdb4362b975b4bd49d
SHA5123195665163f284f0ba930b14d6ad517579d6d81ea21edd42667911f7da03297c127569c9f2d1a2c93645f8a676e1eae5d898fdf1f2381ec70d83e3be206aadd3
-
C:\Users\Admin\AppData\Local\Temp\b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe.exe
Filesize162B
MD5380bbf4d7bdac05d2248b49c4188cd92
SHA1ae83ef83ebe684eab30ab3ca431e4f84994fd60f
SHA256b97278e320af9d3d990703fd1af322e7c4b568a92f6a736149c1648b2f07a7c2
SHA51206fe7a78b558b7581b52f8d65a6a8a62338a429e550c91ad4ba5cc3f445da83ee86b99e5c7dfbd9bbfcc12895215d2a329756dc6b24ef8313f70658abc08db15
-
Filesize
26KB
MD5d46a2a6f2a522cb6c3bde1532d2cd3fb
SHA1e36c018fe56222afda400c8848306dea3f8f0019
SHA256874f065e5732aece11a9bb35e2bb35016d90ff1f51fefbd776c5d156250389d4
SHA512a2c74399ddb660b3a9e166b9ac546987506ea260089f530e83380ca6dd3bf63aff15aca581e56627cb6e67fc8780b2abcc70913518a6650926fe664774016f57
-
Filesize
9B
MD5c59aab012a570d8b20f60efcafb272be
SHA1709df64d9a23340c6bc42f2bf8dfdca512bff2e0
SHA2568a349242c7461f8fccc029421cd051ef8f140a8e3738d348a2354a3d5b9de220
SHA5128c3f67dc02beaca59f0deaa4d8e33bc385b19df02d2a8b905b47148e21919f7d059f3883f02dad25a0d11dc807343390114753a7918171720d8cd72e84239e17