Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

f37efd5834...21.exe

windows7-x64

10

f37efd5834...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2024, 02:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f37efd5834c04b7f90ee50188474ebc8a917f83a48edd87e7a0556415f0b3621.exe

  • Size

    2.6MB

  • MD5

    942e6d4d79fafc99f4339e0cd957675d

  • SHA1

    03f5cadf461749cd06cd4defd93e31e3ce9e716f

  • SHA256

    f37efd5834c04b7f90ee50188474ebc8a917f83a48edd87e7a0556415f0b3621

  • SHA512

    1192451b24280780b65881c4a27b09cbe98fccc836819832554796d0dd966ab29dfe27afd0476efb2f73689b992813a8e63f1525c49395a5d41e3a90493a3130

  • SSDEEP

    24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxx9:Hh+ZkldoPKiYdqd6l

Score
10/10
orcusligeonratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 3 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f37efd5834c04b7f90ee50188474ebc8a917f83a48edd87e7a0556415f0b3621.exe
    "C:\Users\Admin\AppData\Local\Temp\f37efd5834c04b7f90ee50188474ebc8a917f83a48edd87e7a0556415f0b3621.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3676
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
      2⤵
      • Creates scheduled task(s)
      PID:4724
  • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
    C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:1872
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:3596
    • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
      C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:4116
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
          2⤵
          • Creates scheduled task(s)
          PID:1812
      • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
        C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:244
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:5028
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
            2⤵
            • Creates scheduled task(s)
            PID:4504

        Network

        • flag-us
          DNS
          133.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          133.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=2B33B361C12C66013A57A70AC0976776; domain=.bing.com; expires=Mon, 19-May-2025 02:11:41 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 4770C1DFDB104E4FA31D1C1A1EC06974 Ref B: LON04EDGE0919 Ref C: 2024-04-24T02:11:40Z
          date: Wed, 24 Apr 2024 02:11:40 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=2B33B361C12C66013A57A70AC0976776
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=5MRysp7jlj5jaIddPRy5q5s9gcuAhgY_xX_VyGRdCYY; domain=.bing.com; expires=Mon, 19-May-2025 02:11:41 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: C66842F3B31648FA8A655E38C315C809 Ref B: LON04EDGE0919 Ref C: 2024-04-24T02:11:41Z
          date: Wed, 24 Apr 2024 02:11:40 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=2B33B361C12C66013A57A70AC0976776; MSPTC=5MRysp7jlj5jaIddPRy5q5s9gcuAhgY_xX_VyGRdCYY
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 244DA287E94D4150A5033353BE051536 Ref B: LON04EDGE0919 Ref C: 2024-04-24T02:11:41Z
          date: Wed, 24 Apr 2024 02:11:40 GMT
        • flag-us
          DNS
          9.228.82.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          9.228.82.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          196.249.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          196.249.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          156.33.209.4.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          156.33.209.4.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          21.114.53.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          21.114.53.23.in-addr.arpa
          IN PTR
          Response
          21.114.53.23.in-addr.arpa
          IN PTR
          a23-53-114-21deploystaticakamaitechnologiescom
        • flag-us
          DNS
          55.36.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          55.36.223.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          228.249.119.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          228.249.119.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          58.55.71.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          58.55.71.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          103.169.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          103.169.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          171.39.242.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          171.39.242.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          24.139.73.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          24.139.73.23.in-addr.arpa
          IN PTR
          Response
          24.139.73.23.in-addr.arpa
          IN PTR
          a23-73-139-24deploystaticakamaitechnologiescom
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          58.99.105.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          58.99.105.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          48.251.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          48.251.17.2.in-addr.arpa
          IN PTR
          Response
          48.251.17.2.in-addr.arpa
          IN PTR
          a2-17-251-48deploystaticakamaitechnologiescom
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 555746
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 705A47B256DB4E7BACFE66B8D1D5AC75 Ref B: LON04EDGE1018 Ref C: 2024-04-24T02:13:20Z
          date: Wed, 24 Apr 2024 02:13:19 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        • flag-us
          DNS
          200.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.197.79.204.in-addr.arpa
          IN PTR
          Response
          200.197.79.204.in-addr.arpa
          IN PTR
          a-0001a-msedgenet
        • flag-us
          DNS
          200.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.197.79.204.in-addr.arpa
          IN PTR
          Response
          200.197.79.204.in-addr.arpa
          IN PTR
          a-0001a-msedgenet
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • flag-us
          DNS
          ligeon.ddns.net
          RegSvcs.exe
          Remote address:
          8.8.8.8:53
          Request
          ligeon.ddns.net
          IN A
          Response
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid=
          tls, http2
          2.0kB
           9.2kB
           21
          19

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2126f0600c3423dba8208f8e4478450&localId=w:E538575A-8E65-34AB-A726-A4D160CA8F07&deviceId=6966564024204374&anid=

          HTTP Response

          204
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           8.1kB
           15
          13
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           8.1kB
           16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           8.1kB
           15
          14
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          4.5kB
           82.7kB
           73
          68

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200
        • 8.8.8.8:53
          133.32.126.40.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          133.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
           151 B
           1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          9.228.82.20.in-addr.arpa
          dns
          70 B
           156 B
           1
          1

          DNS Request

          9.228.82.20.in-addr.arpa

        • 8.8.8.8:53
          196.249.167.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          196.249.167.52.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          240.221.184.93.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          240.221.184.93.in-addr.arpa

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
           143 B
           1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          156.33.209.4.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          156.33.209.4.in-addr.arpa

        • 8.8.8.8:53
          21.114.53.23.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          21.114.53.23.in-addr.arpa

        • 8.8.8.8:53
          55.36.223.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          55.36.223.20.in-addr.arpa

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          228.249.119.40.in-addr.arpa
          dns
          73 B
           159 B
           1
          1

          DNS Request

          228.249.119.40.in-addr.arpa

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          58.55.71.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          58.55.71.13.in-addr.arpa

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          103.169.127.40.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          103.169.127.40.in-addr.arpa

        • 8.8.8.8:53
          171.39.242.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          171.39.242.20.in-addr.arpa

        • 8.8.8.8:53
          24.139.73.23.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          24.139.73.23.in-addr.arpa

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          58.99.105.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          58.99.105.20.in-addr.arpa

        • 8.8.8.8:53
          48.251.17.2.in-addr.arpa
          dns
          70 B
           133 B
           1
          1

          DNS Request

          48.251.17.2.in-addr.arpa

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          61 B
           121 B
           1
          1

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          14.227.111.52.in-addr.arpa
          dns
          144 B
           316 B
           2
          2

          DNS Request

          14.227.111.52.in-addr.arpa

          DNS Request

          14.227.111.52.in-addr.arpa

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          122 B
           242 B
           2
          2

          DNS Request

          ligeon.ddns.net

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          124 B
           346 B
           2
          2

          DNS Request

          tse1.mm.bing.net

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53
          200.197.79.204.in-addr.arpa
          dns
          146 B
           212 B
           2
          2

          DNS Request

          200.197.79.204.in-addr.arpa

          DNS Request

          200.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          122 B
           242 B
           2
          2

          DNS Request

          ligeon.ddns.net

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          122 B
           242 B
           2
          2

          DNS Request

          ligeon.ddns.net

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          122 B
           242 B
           2
          2

          DNS Request

          ligeon.ddns.net

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          122 B
           242 B
           2
          2

          DNS Request

          ligeon.ddns.net

          DNS Request

          ligeon.ddns.net

        • 8.8.8.8:53
          ligeon.ddns.net
          dns
          RegSvcs.exe
          122 B
           242 B
           2
          2

          DNS Request

          ligeon.ddns.net

          DNS Request

          ligeon.ddns.net

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
          Filesize

          1KB

          MD5

          0672db2ef13237d5cb85075ff4915942

          SHA1

          ad8b4d3eb5e40791c47d48b22e273486f25f663f

          SHA256

          0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519

          SHA512

          84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
          Filesize

          2.6MB

          MD5

          120c39a053f68266c4942ea0ae8c4386

          SHA1

          bd7dae156d8d163a20af665935fcf572a1efd532

          SHA256

          35e2ba0508b0218cf49a33cbd9d7272078a8732333bf550dfa135b8ace50f0c1

          SHA512

          ac3d9a0aed1c39d8061ab410d13115cec3984d7f44c53bd892670430c64a83b5624a521dd0553460bfe4cdd743e7ab6236a6df66e6caa2729b092b197a4e337c

          Download Submit

        • memory/244-47-0x0000000000C70000-0x0000000000F1A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/1872-34-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1872-32-0x0000000005100000-0x0000000005110000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1872-31-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1872-25-0x0000000000400000-0x00000000004EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1988-36-0x0000000000C70000-0x0000000000F1A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/2016-22-0x0000000000C70000-0x0000000000F1A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3676-12-0x0000000005030000-0x00000000050C2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3676-10-0x0000000004EB0000-0x0000000004F0C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/3676-17-0x0000000005510000-0x0000000005528000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3676-18-0x0000000005E60000-0x0000000006022000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3676-19-0x00000000055B0000-0x00000000055C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3676-20-0x0000000006170000-0x000000000617A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3676-15-0x00000000054E0000-0x00000000054F2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3676-2-0x00000000007A0000-0x000000000088A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3676-24-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3676-11-0x00000000055E0000-0x0000000005B84000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3676-30-0x0000000002A30000-0x0000000002A40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3676-16-0x00000000054F0000-0x00000000054F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3676-9-0x0000000000F00000-0x0000000000F0E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3676-8-0x0000000002A30000-0x0000000002A40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3676-7-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4116-37-0x0000000000500000-0x00000000005EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/4116-44-0x0000000004A50000-0x0000000004A60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4116-43-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4116-45-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4896-0-0x0000000000CD0000-0x0000000000F7A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/4896-1-0x0000000001830000-0x0000000001831000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5028-54-0x0000000005A90000-0x0000000005AA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5028-53-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5028-55-0x00000000736D0000-0x0000000073E80000-memory.dmp

          Filesize

          7.7MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.