Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

323ddab5b4...c1.exe

windows7-x64

7

323ddab5b4...c1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 14:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe

  • Size

    491KB

  • MD5

    90e617b3cb538bdbebb67d1acb928fd2

  • SHA1

    1d21aa75aef945020c81a487e85f11b42a5780e1

  • SHA256

    323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1

  • SHA512

    b5c2b80566046eabfee7e64f4773db78674a3abae013ecbfaff9ccbeb418a4f65e06553cd541ce6585cdc5ee956f41775d171161c5a9a0833f7d3d486bfa32bd

  • SSDEEP

    12288:IKI1quIf1gL5pRTcAkS/3hzN8qE43fm78V:DI1q45jcAkSYqyE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
        "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1112
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3492
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4668
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a41CC.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:436
            • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
              "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
              4⤵
              • Executes dropped EXE
              PID:3540
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1104
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1392
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3964
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1072
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2188

          Network

          • flag-us
            DNS
            8.8.8.8.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            8.8.8.8.in-addr.arpa
            IN PTR
            Response
            8.8.8.8.in-addr.arpa
            IN PTR
            dnsgoogle
          • flag-us
            DNS
            g.bing.com
            Remote address:
            8.8.8.8:53
            Request
            g.bing.com
            IN A
            Response
            g.bing.com
            IN CNAME
            g-bing-com.dual-a-0034.a-msedge.net
            g-bing-com.dual-a-0034.a-msedge.net
            IN CNAME
            dual-a-0034.a-msedge.net
            dual-a-0034.a-msedge.net
            IN A
            204.79.197.237
            dual-a-0034.a-msedge.net
            IN A
            13.107.21.237
          • flag-us
            GET
            https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid=
            Remote address:
            204.79.197.237:443
            Request
            GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid= HTTP/2.0
            host: g.bing.com
            accept-encoding: gzip, deflate
            user-agent: WindowsShellClient/9.0.40929.0 (Windows)
            Response
            HTTP/2.0 204
            cache-control: no-cache, must-revalidate
            pragma: no-cache
            expires: Fri, 01 Jan 1990 00:00:00 GMT
            set-cookie: MUID=0848843B9B5C64F43723904D9A7B654F; domain=.bing.com; expires=Fri, 30-May-2025 14:18:13 GMT; path=/; SameSite=None; Secure; Priority=High;
            strict-transport-security: max-age=31536000; includeSubDomains; preload
            access-control-allow-origin: *
            x-cache: CONFIG_NOCACHE
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: 2576186D1B634B81AE736A47488F6187 Ref B: LON04EDGE0614 Ref C: 2024-05-05T14:18:13Z
            date: Sun, 05 May 2024 14:18:13 GMT
          • flag-us
            GET
            https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid=
            Remote address:
            204.79.197.237:443
            Request
            GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid= HTTP/2.0
            host: g.bing.com
            accept-encoding: gzip, deflate
            user-agent: WindowsShellClient/9.0.40929.0 (Windows)
            cookie: MUID=0848843B9B5C64F43723904D9A7B654F
            Response
            HTTP/2.0 204
            cache-control: no-cache, must-revalidate
            pragma: no-cache
            expires: Fri, 01 Jan 1990 00:00:00 GMT
            set-cookie: MSPTC=y8Mszl5tv2yYuOv3AkZMaUjZOLGaSS8T2XNaVm99ywo; domain=.bing.com; expires=Fri, 30-May-2025 14:18:13 GMT; path=/; Partitioned; secure; SameSite=None
            strict-transport-security: max-age=31536000; includeSubDomains; preload
            access-control-allow-origin: *
            x-cache: CONFIG_NOCACHE
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: 85228A9BD4D049EBAC8FB75C8972E654 Ref B: LON04EDGE0614 Ref C: 2024-05-05T14:18:13Z
            date: Sun, 05 May 2024 14:18:13 GMT
          • flag-us
            GET
            https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid=
            Remote address:
            204.79.197.237:443
            Request
            GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid= HTTP/2.0
            host: g.bing.com
            accept-encoding: gzip, deflate
            user-agent: WindowsShellClient/9.0.40929.0 (Windows)
            cookie: MUID=0848843B9B5C64F43723904D9A7B654F; MSPTC=y8Mszl5tv2yYuOv3AkZMaUjZOLGaSS8T2XNaVm99ywo
            Response
            HTTP/2.0 204
            cache-control: no-cache, must-revalidate
            pragma: no-cache
            expires: Fri, 01 Jan 1990 00:00:00 GMT
            strict-transport-security: max-age=31536000; includeSubDomains; preload
            access-control-allow-origin: *
            x-cache: CONFIG_NOCACHE
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: 2E17B79C4E554C2082DF054C5A80850E Ref B: LON04EDGE0614 Ref C: 2024-05-05T14:18:13Z
            date: Sun, 05 May 2024 14:18:13 GMT
          • flag-us
            DNS
            97.17.167.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            97.17.167.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            79.190.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            79.190.18.2.in-addr.arpa
            IN PTR
            Response
            79.190.18.2.in-addr.arpa
            IN PTR
            a2-18-190-79deploystaticakamaitechnologiescom
          • flag-us
            DNS
            64.159.190.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            64.159.190.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            237.197.79.204.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            237.197.79.204.in-addr.arpa
            IN PTR
            Response
          • flag-nl
            GET
            https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
            Remote address:
            23.62.61.155:443
            Request
            GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
            host: www.bing.com
            accept: */*
            cookie: MUID=0848843B9B5C64F43723904D9A7B654F; MSPTC=y8Mszl5tv2yYuOv3AkZMaUjZOLGaSS8T2XNaVm99ywo
            accept-encoding: gzip, deflate, br
            user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
            Response
            HTTP/2.0 200
            cache-control: public, max-age=2592000
            content-type: image/png
            access-control-allow-origin: *
            access-control-allow-headers: *
            access-control-allow-methods: GET, POST, OPTIONS
            timing-allow-origin: *
            report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
            nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
            content-length: 1107
            date: Sun, 05 May 2024 14:18:14 GMT
            alt-svc: h3=":443"; ma=93600
            x-cdn-traceid: 0.973d3e17.1714918694.242d6db0
          • flag-us
            DNS
            155.61.62.23.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            155.61.62.23.in-addr.arpa
            IN PTR
            Response
            155.61.62.23.in-addr.arpa
            IN PTR
            a23-62-61-155deploystaticakamaitechnologiescom
          • flag-us
            DNS
            55.36.223.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            55.36.223.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            228.249.119.40.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            228.249.119.40.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            157.123.68.40.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            157.123.68.40.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            15.164.165.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            15.164.165.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            172.210.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.210.232.199.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            205.64.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            205.64.18.2.in-addr.arpa
            IN PTR
            Response
            205.64.18.2.in-addr.arpa
            IN PTR
            a2-18-64-205deploystaticakamaitechnologiescom
          • flag-us
            DNS
            26.35.223.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            26.35.223.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            77.190.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            77.190.18.2.in-addr.arpa
            IN PTR
            Response
            77.190.18.2.in-addr.arpa
            IN PTR
            a2-18-190-77deploystaticakamaitechnologiescom
          • flag-us
            DNS
            tse1.mm.bing.net
            Remote address:
            8.8.8.8:53
            Request
            tse1.mm.bing.net
            IN A
            Response
            tse1.mm.bing.net
            IN CNAME
            mm-mm.bing.net.trafficmanager.net
            mm-mm.bing.net.trafficmanager.net
            IN CNAME
            dual-a-0001.a-msedge.net
            dual-a-0001.a-msedge.net
            IN A
            204.79.197.200
            dual-a-0001.a-msedge.net
            IN A
            13.107.21.200
          • flag-us
            GET
            https://tse1.mm.bing.net/th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
            Remote address:
            204.79.197.200:443
            Request
            GET /th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
            host: tse1.mm.bing.net
            accept: */*
            accept-encoding: gzip, deflate, br
            user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
            Response
            HTTP/2.0 200
            cache-control: public, max-age=2592000
            content-length: 627437
            content-type: image/jpeg
            x-cache: TCP_HIT
            access-control-allow-origin: *
            access-control-allow-headers: *
            access-control-allow-methods: GET, POST, OPTIONS
            timing-allow-origin: *
            report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
            nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: 75524C97B14747B4B3CF27A29BABE82A Ref B: LON04EDGE0621 Ref C: 2024-05-05T14:19:52Z
            date: Sun, 05 May 2024 14:19:51 GMT
          • flag-us
            GET
            https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
            Remote address:
            204.79.197.200:443
            Request
            GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
            host: tse1.mm.bing.net
            accept: */*
            accept-encoding: gzip, deflate, br
            user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
            Response
            HTTP/2.0 200
            cache-control: public, max-age=2592000
            content-length: 770657
            content-type: image/jpeg
            x-cache: TCP_HIT
            access-control-allow-origin: *
            access-control-allow-headers: *
            access-control-allow-methods: GET, POST, OPTIONS
            timing-allow-origin: *
            report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
            nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: FC2538DFA24D4F0D9740ABB17A098185 Ref B: LON04EDGE0621 Ref C: 2024-05-05T14:19:52Z
            date: Sun, 05 May 2024 14:19:51 GMT
          • flag-us
            GET
            https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
            Remote address:
            204.79.197.200:443
            Request
            GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
            host: tse1.mm.bing.net
            accept: */*
            accept-encoding: gzip, deflate, br
            user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
            Response
            HTTP/2.0 200
            cache-control: public, max-age=2592000
            content-length: 792794
            content-type: image/jpeg
            x-cache: TCP_HIT
            access-control-allow-origin: *
            access-control-allow-headers: *
            access-control-allow-methods: GET, POST, OPTIONS
            timing-allow-origin: *
            report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
            nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: D3F66EA500F1464F872B41DF5848ABEF Ref B: LON04EDGE0621 Ref C: 2024-05-05T14:19:52Z
            date: Sun, 05 May 2024 14:19:51 GMT
          • flag-us
            GET
            https://tse1.mm.bing.net/th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
            Remote address:
            204.79.197.200:443
            Request
            GET /th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
            host: tse1.mm.bing.net
            accept: */*
            accept-encoding: gzip, deflate, br
            user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
            Response
            HTTP/2.0 200
            cache-control: public, max-age=2592000
            content-length: 835660
            content-type: image/jpeg
            x-cache: TCP_HIT
            access-control-allow-origin: *
            access-control-allow-headers: *
            access-control-allow-methods: GET, POST, OPTIONS
            timing-allow-origin: *
            report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
            nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: E0F54751808E47BC9C39733E557BDCC8 Ref B: LON04EDGE0621 Ref C: 2024-05-05T14:19:52Z
            date: Sun, 05 May 2024 14:19:51 GMT
          • 204.79.197.237:443
            https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid=
            tls, http2
            2.0kB
             9.2kB
             21
            18

            HTTP Request

            GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid=

            HTTP Response

            204

            HTTP Request

            GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid=

            HTTP Response

            204

            HTTP Request

            GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3502026a11d942cba56d80086f181968&localId=w:514E7E71-4CE0-645C-5005-1E4EAC1BBA78&deviceId=6896200266421081&anid=

            HTTP Response

            204
          • 23.62.61.155:443
            https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
            tls, http2
            1.5kB
             6.4kB
             17
            12

            HTTP Request

            GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

            HTTP Response

            200
          • 204.79.197.200:443
            tse1.mm.bing.net
            tls, http2
            1.2kB
             8.1kB
             16
            14
          • 204.79.197.200:443
            tse1.mm.bing.net
            tls, http2
            1.2kB
             8.1kB
             16
            14
          • 204.79.197.200:443
            tse1.mm.bing.net
            tls, http2
            1.2kB
             8.1kB
             16
            14
          • 204.79.197.200:443
            https://tse1.mm.bing.net/th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
            tls, http2
            117.3kB
             3.2MB
             2325
            2317

            HTTP Request

            GET https://tse1.mm.bing.net/th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

            HTTP Request

            GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

            HTTP Request

            GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

            HTTP Request

            GET https://tse1.mm.bing.net/th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

            HTTP Response

            200

            HTTP Response

            200

            HTTP Response

            200

            HTTP Response

            200
          • 8.8.8.8:53
            8.8.8.8.in-addr.arpa
            dns
            66 B
             90 B
             1
            1

            DNS Request

            8.8.8.8.in-addr.arpa

          • 8.8.8.8:53
            g.bing.com
            dns
            56 B
             151 B
             1
            1

            DNS Request

            g.bing.com

            DNS Response

            204.79.197.237
            13.107.21.237

          • 8.8.8.8:53
            97.17.167.52.in-addr.arpa
            dns
            71 B
             145 B
             1
            1

            DNS Request

            97.17.167.52.in-addr.arpa

          • 8.8.8.8:53
            79.190.18.2.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            79.190.18.2.in-addr.arpa

          • 8.8.8.8:53
            64.159.190.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            64.159.190.20.in-addr.arpa

          • 8.8.8.8:53
            237.197.79.204.in-addr.arpa
            dns
            73 B
             143 B
             1
            1

            DNS Request

            237.197.79.204.in-addr.arpa

          • 8.8.8.8:53
            155.61.62.23.in-addr.arpa
            dns
            71 B
             135 B
             1
            1

            DNS Request

            155.61.62.23.in-addr.arpa

          • 8.8.8.8:53
            55.36.223.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            55.36.223.20.in-addr.arpa

          • 8.8.8.8:53
            228.249.119.40.in-addr.arpa
            dns
            73 B
             159 B
             1
            1

            DNS Request

            228.249.119.40.in-addr.arpa

          • 8.8.8.8:53
            157.123.68.40.in-addr.arpa
            dns
            72 B
             146 B
             1
            1

            DNS Request

            157.123.68.40.in-addr.arpa

          • 8.8.8.8:53
            15.164.165.52.in-addr.arpa
            dns
            72 B
             146 B
             1
            1

            DNS Request

            15.164.165.52.in-addr.arpa

          • 8.8.8.8:53
            172.210.232.199.in-addr.arpa
            dns
            74 B
             128 B
             1
            1

            DNS Request

            172.210.232.199.in-addr.arpa

          • 8.8.8.8:53
            205.64.18.2.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            205.64.18.2.in-addr.arpa

          • 8.8.8.8:53
            26.35.223.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            26.35.223.20.in-addr.arpa

          • 8.8.8.8:53
            77.190.18.2.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            77.190.18.2.in-addr.arpa

          • 8.8.8.8:53
            tse1.mm.bing.net
            dns
            62 B
             173 B
             1
            1

            DNS Request

            tse1.mm.bing.net

            DNS Response

            204.79.197.200
            13.107.21.200

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\SaveHide.exe
            Filesize

            640KB

            MD5

            2b4f73c1c4e288b5c4c3f9a4e7e36992

            SHA1

            6149ba64f90048f9e39b9235844a8f0e9f7b67bc

            SHA256

            2c0adf06cca43f785ed84c82573919e51c612f1ec6df57d4f5945a56e6f909b4

            SHA512

            ba257de06ee25e012079602b978e40ef689f26ce664b5b60206fe5e9a3e5ee300853f96cc0bd084e331591509dfaa93fbdc0e3f2beffa1c086a0f54d496f44c2

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            409182603becc55c541434f07d1d7cf1

            SHA1

            ccc8cd6353f58ef04cd0f31513643872aa55f7b8

            SHA256

            1a54b69a041e9608d050ed76a68f4a30a007850d9879d31eb78c3046d3a5735d

            SHA512

            89802ff33990769e172559e297dff5a7ee0675f14c3424bf947353044a6c2187fd138dbe993112415815e237e7788de463f8a5819fcfd23232bc301514a0e72f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a41CC.bat
            Filesize

            722B

            MD5

            1fc1a435b3499d7e6d775f8427d818de

            SHA1

            3d7f0c23dfb655d5daf9970b5a5e8dc79c8dfc91

            SHA256

            18912b90c242dc05d919dfbfa6c7ec03b7a4b6b92e37ec0c384e6645bd1c36c6

            SHA512

            40595d817e8a9951b5943842559b636d39923fe4ac4fbe712f03cd1e49a36cf4ff86a784e4b76c7f4345dd90d90543e414c3c1f0c480dc82b970358053bd1419

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe.exe
            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            dbaeead00c5f2c719ea726ce5d681465

            SHA1

            d9bb3c9a2747bb4625f265d46f48722ef88271c7

            SHA256

            ccb9ee55ad02f5fda55d5b0e8c06e4071fe895b47d622ebc24a79d7c87d3e1a8

            SHA512

            1526d4e26278f1225a07fdf935de1d7364638af5b77473d2ec97316edf53cc89c4482c496d4b9c7009ee9d969429e9251057a1664ceb0ebda1aef16c703ffa95

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\_desktop.ini
            Filesize

            8B

            MD5

            1b16d2dbd4281ce4e4e5729c608dcb0b

            SHA1

            851e624080ba5598edb808d4b30fe2d74999ce18

            SHA256

            c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

            SHA512

            cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

            Download Submit

          • memory/1104-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1104-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1104-5181-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1104-8733-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1112-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1112-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.