78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 23:48 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
Size

12KB
MD5

113d39619618d12156042dbdf1e85198
SHA1

8a52ee431a00fc6a0553335620b91c7722e3110c
SHA256

78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f
SHA512

41c136aeafc19706d7e9a4c72a1d1baec69d080b4f65eee61bd340e8120a253afdcef4248944eca350aef14474a22341226b1d0287b761de979d5c68f56de01e
SSDEEP

384:GL7li/2zKq2DcEQvdhcJKLTp/NK9xao1:gSM/Q9co1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe

Deletes itself 1 IoCs

pid	Process
520	tmp5005.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
520	tmp5005.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1472	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	86
PID 1068 wrote to memory of 1472	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	86
PID 1068 wrote to memory of 1472	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	86
PID 1472 wrote to memory of 2904	1472	vbc.exe	90
PID 1472 wrote to memory of 2904	1472	vbc.exe	90
PID 1472 wrote to memory of 2904	1472	vbc.exe	90
PID 1068 wrote to memory of 520	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	92
PID 1068 wrote to memory of 520	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	92
PID 1068 wrote to memory of 520	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	92

C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
"C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0upu0jnp\0upu0jnp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5217.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C0C3FAD84904BA4A38817F1B1AD640.TMP"
    3⤵
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp.exe" C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:520

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=302BC4DDFCC36E7A344DD05DFD236FF9; domain=.bing.com; expires=Mon, 09-Jun-2025 23:48:42 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 65EFD22C6B81441092CF019B93A17007 Ref B: LON04EDGE1110 Ref C: 2024-05-15T23:48:41Z
date: Wed, 15 May 2024 23:48:42 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=302BC4DDFCC36E7A344DD05DFD236FF9

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=AvW3vlqRubWDJ1BziNiJQrjrWc54vrl5tP8rmCXtzdA; domain=.bing.com; expires=Mon, 09-Jun-2025 23:48:42 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 808B6C5F6932444781E33976184599F8 Ref B: LON04EDGE1110 Ref C: 2024-05-15T23:48:42Z
date: Wed, 15 May 2024 23:48:42 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=302BC4DDFCC36E7A344DD05DFD236FF9; MSPTC=AvW3vlqRubWDJ1BziNiJQrjrWc54vrl5tP8rmCXtzdA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DC742786E58E48CEABE44BC84326520C Ref B: LON04EDGE1110 Ref C: 2024-05-15T23:48:42Z
date: Wed, 15 May 2024 23:48:42 GMT
DNS

35.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.56.20.217.in-addr.arpa

IN PTR

Response
DNS

35.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.56.20.217.in-addr.arpa

IN PTR
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.194:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=302BC4DDFCC36E7A344DD05DFD236FF9; MSPTC=AvW3vlqRubWDJ1BziNiJQrjrWc54vrl5tP8rmCXtzdA
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 15 May 2024 23:48:44 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1715816924.a70b16
DNS

194.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

21.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.121.18.2.in-addr.arpa

IN PTR

Response

21.121.18.2.in-addr.arpa

IN PTR

a2-18-121-21deploystaticakamaitechnologiescom
DNS

99.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.58.20.217.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7200C4396A89426BB6189A5ED37F2D8E Ref B: LON04EDGE0921 Ref C: 2024-05-15T23:50:22Z
date: Wed, 15 May 2024 23:50:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 442324
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4B66200F242A44C2A41514E355A32AAA Ref B: LON04EDGE0921 Ref C: 2024-05-15T23:50:22Z
date: Wed, 15 May 2024 23:50:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 394521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 002A03EA84A4471BBC6E29A6E12FBB8B Ref B: LON04EDGE0921 Ref C: 2024-05-15T23:50:22Z
date: Wed, 15 May 2024 23:50:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6CE196D1EDCB445185B93D5F31797AF0 Ref B: LON04EDGE0921 Ref C: 2024-05-15T23:50:22Z
date: Wed, 15 May 2024 23:50:22 GMT
DNS

8.167.79.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.167.79.40.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=63dfd28c7ca049ce8ab1594af1fb80d1&localId=w:F7A0D56A-F9D0-CE0C-24BD-E32EA7746E44&deviceId=6825829383594079&anid=

HTTP Response

204
23.62.61.194:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.3kB
16
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

75.8kB
2.2MB
1615
1610

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.1kB
17
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.1kB
17
14

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

35.56.20.217.in-addr.arpa

dns

142 B
131 B
2
1

DNS Request

35.56.20.217.in-addr.arpa

DNS Request

35.56.20.217.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

194.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

194.61.62.23.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

21.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

21.121.18.2.in-addr.arpa
8.8.8.8:53

99.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

99.58.20.217.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

8.167.79.40.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

8.167.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0upu0jnp\0upu0jnp.0.vb

Filesize
2KB

MD5
015de1b039da2f6db35ac94d83290bcf

SHA1
478d1eae654ab1c2a84b61fbf5b93419fba6ce21

SHA256
263423d2eb78bb9b41b127006479d3022a6f6f55eafce009e55453ed0339bbe1

SHA512
7f821806b344704dbbc5df5c8a514bf49081a4a8078de67e159e690cb8a050576ddfb389e7f21840aa759bbf6b4a8b82a4f3050ce3040e7355874809cc8a0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0upu0jnp\0upu0jnp.cmdline

Filesize
273B

MD5
118f6e7fc0367ce8df2daba62871e030

SHA1
0ec363cbf6399559103baae5eb15ad1ab7a1fcf7

SHA256
683dfee3857bee5c86f8c9050b1a204e3a322c9f92a0c53186dc74034ad98115

SHA512
e852a25ed953e86b71c32993a6948bd862c096bdde85826c7ff484b57e9460554d8e07468e64b3c64b978facb5b89d8bdb0cf3b16d126a768933a25014961096

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
82eefbf2f80eb2224c65493e7847dab9

SHA1
ee1f67ccd6e69d424bee459d8aecd7a27c40e954

SHA256
d812b8d44e1ccbb7ca9afe7250547e6c57b26e7da47cf76138bef3446bdda116

SHA512
f5ed9c5b917bfb31396082cfca0ae9f1805e6c27e1afb389f0d1be67cd79e694efcea743aee9a5da81043430f86244777a1700024b87cec9f2d590d64a8063ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5217.tmp

Filesize
1KB

MD5
7ab931176a9bb0889e21e58712c9edf0

SHA1
f20a45c680daf3e26b266e26e81ed2217c4c0dbf

SHA256
302f375cc30d940d8c760b2ca1aa4bac7d785373cae79200a2b0168864156861

SHA512
6a93ad84e4638eebcc33b79a40b92854ffa18564e005a351a6c2720ac40d26aceec105c3718d01fb454251b3d583eccf953134d820ecf0acd50a723cfdc140e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp.exe

Filesize
12KB

MD5
f8d85d1b57af7849617a6531ff0c4cf0

SHA1
274430422b5329a23bb91540eb119bb5672e3db9

SHA256
863bcaffa42d8737fe69bf0a6d431d5939077b0d649e9bd32784ad173eb08a50

SHA512
37d307ae234cc0e1c63e7fc2bf296f56ff672e6a171d66be0b4f69881deeb559568d45643f3cf09f6ce4ab6b3e029f432fc50d0dc78549729a6d6be4e842e696

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C0C3FAD84904BA4A38817F1B1AD640.TMP

Filesize
1KB

MD5
f8138aef0e63a4ed002d677273c33182

SHA1
203c37f1b3e06656996c6247abf73d46a7a7d2a2

SHA256
cb1c5e32f2795bbdc294c876f3a50b0995691552435261259c18cc26ce089cf6

SHA512
9b87f74f13c8af6cd1da74b271ab8ff2c9230028e2c60d26c58f74a0eab639134539bb7aeeea4aa8d36e748081afe04a637e1841d7c7c7495bed1c7e04f55f9b

Download Submit
memory/520-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/520-25-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/520-27-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/520-28-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/520-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-2-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/1068-1-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/1068-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/1068-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.