Analysis

  • max time kernel
    117s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 23:39

General

  • Target

    21237b83e39b56108b33fa9208e20bd0N.exe

  • Size

    1.1MB

  • MD5

    21237b83e39b56108b33fa9208e20bd0

  • SHA1

    2da6620e429aaa64ae28c97e07411ad331dea04c

  • SHA256

    dc45d3955a7ee5a57d9324bbadabd18a9163a77a558537eeb04ada72d6e1cd29

  • SHA512

    24fef9944ee6813f744d6076eec1f91bef1540f0f9af4bd1b31cc352866a590ed864fb1b17ae8cef921d0f3563314bc4d81fa0ab5ddba164b6283298cfcaa770

  • SSDEEP

    24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+s8juCC2SNh:E5aIwC+Agr6SNasrsFCi

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

  • KPOT Core Executable 1 IoCs
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 1 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\21237b83e39b56108b33fa9208e20bd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\21237b83e39b56108b33fa9208e20bd0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:744
    • C:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exe
      C:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:4316

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=3DD5ECDA1AB563361A29F81F1B926253; domain=.bing.com; expires=Sun, 17-Aug-2025 23:39:20 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 976986267A7A40BD8C961C61A5AFD5FC Ref B: LON04EDGE0717 Ref C: 2024-07-23T23:39:20Z
        date: Tue, 23 Jul 2024 23:39:19 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=3DD5ECDA1AB563361A29F81F1B926253
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=8I__WjOpgOEX8vLSMcYOKYs2gfG4rCfc2OfFgzcq4_Q; domain=.bing.com; expires=Sun, 17-Aug-2025 23:39:20 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 3A188239E8414814A3CCF48C9EA5099D Ref B: LON04EDGE0717 Ref C: 2024-07-23T23:39:20Z
        date: Tue, 23 Jul 2024 23:39:19 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=3DD5ECDA1AB563361A29F81F1B926253; MSPTC=8I__WjOpgOEX8vLSMcYOKYs2gfG4rCfc2OfFgzcq4_Q
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: BB06B37BF64C4365BDB7D119E1172CA9 Ref B: LON04EDGE0717 Ref C: 2024-07-23T23:39:20Z
        date: Tue, 23 Jul 2024 23:39:19 GMT
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        71.31.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        71.31.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        154.239.44.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        154.239.44.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        107.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        107.12.20.2.in-addr.arpa
        IN PTR
        Response
        107.12.20.2.in-addr.arpa
        IN PTR
        a2-20-12-107deploystaticakamaitechnologiescom
      • flag-us
        DNS
        29.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        29.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.58.199.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.58.199.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        ax-0001.ax-msedge.net
        ax-0001.ax-msedge.net
        IN A
        150.171.28.10
        ax-0001.ax-msedge.net
        IN A
        150.171.27.10
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 944920
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 09D851FBCF9A428F8AB49957605D7E9C Ref B: LON04EDGE1108 Ref C: 2024-07-23T23:41:03Z
        date: Tue, 23 Jul 2024 23:41:03 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301560_1VYM1AB1UOOH4QGUY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239317301560_1VYM1AB1UOOH4QGUY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 493102
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: FC903C8937EB4D4A9A0E65EF4244D004 Ref B: LON04EDGE1108 Ref C: 2024-07-23T23:41:03Z
        date: Tue, 23 Jul 2024 23:41:03 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301151_191TZ1ARIUD05NY0D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239317301151_191TZ1ARIUD05NY0D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 599415
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 3F7E1EF4B11D4ED8BAFCB0647678DC58 Ref B: LON04EDGE1108 Ref C: 2024-07-23T23:41:03Z
        date: Tue, 23 Jul 2024 23:41:03 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239357511422_1A7OTR6A4QA6G1DBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239357511422_1A7OTR6A4QA6G1DBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 855706
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 07FB3C80080C4D6C9987D7AAC7C05471 Ref B: LON04EDGE1108 Ref C: 2024-07-23T23:41:03Z
        date: Tue, 23 Jul 2024 23:41:03 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239357511424_1NSLXDV6EKAUQKBXT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239357511424_1NSLXDV6EKAUQKBXT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 631209
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 97C6B9B008AC4F7DA2E318C3CC57C87A Ref B: LON04EDGE1108 Ref C: 2024-07-23T23:41:03Z
        date: Tue, 23 Jul 2024 23:41:03 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340418578_1AMTWIX1RFG5EZ1V6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.28.10:443
        Request
        GET /th?id=OADD2.10239340418578_1AMTWIX1RFG5EZ1V6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 1061732
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: F10D7F4C388744E9A328C67865A0A31F Ref B: LON04EDGE1108 Ref C: 2024-07-23T23:41:04Z
        date: Tue, 23 Jul 2024 23:41:04 GMT
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=
        tls, http2
        2.0kB
        9.3kB
        22
        19

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=abab1ef9a7fe4a68ae9aa47e9c0e393c&localId=w:A55461EC-E2C0-7E26-6404-F1FD6509940B&deviceId=6966568319254816&anid=

        HTTP Response

        204
      • 47.44.54.70:449
        svchost.exe
        260 B
        200 B
        5
        5
      • 47.44.54.70:449
        svchost.exe
        260 B
        200 B
        5
        5
      • 150.171.28.10:443
        https://tse1.mm.bing.net/th?id=OADD2.10239340418578_1AMTWIX1RFG5EZ1V6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        tls, http2
        160.7kB
        4.8MB
        3450
        3440

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301560_1VYM1AB1UOOH4QGUY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301151_191TZ1ARIUD05NY0D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239357511422_1A7OTR6A4QA6G1DBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239357511424_1NSLXDV6EKAUQKBXT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340418578_1AMTWIX1RFG5EZ1V6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.1kB
        6.7kB
        13
        8
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.4kB
        7.6kB
        15
        9
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.4kB
        6.7kB
        15
        9
      • 150.171.28.10:443
        tse1.mm.bing.net
        tls, http2
        1.4kB
        6.7kB
        15
        9
      • 47.44.54.70:449
        svchost.exe
        260 B
        200 B
        5
        5
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        151 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
        143 B
        1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        71.31.126.40.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        71.31.126.40.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        154.239.44.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        154.239.44.20.in-addr.arpa

      • 8.8.8.8:53
        86.23.85.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        86.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        107.12.20.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        107.12.20.2.in-addr.arpa

      • 8.8.8.8:53
        29.243.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        29.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        43.58.199.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        43.58.199.20.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
        170 B
        1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        150.171.28.10
        150.171.27.10

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\WinSocket\21238b93e39b67109b33fa9209e20bd0N.exe

        Filesize

        1.1MB

        MD5

        21237b83e39b56108b33fa9208e20bd0

        SHA1

        2da6620e429aaa64ae28c97e07411ad331dea04c

        SHA256

        dc45d3955a7ee5a57d9324bbadabd18a9163a77a558537eeb04ada72d6e1cd29

        SHA512

        24fef9944ee6813f744d6076eec1f91bef1540f0f9af4bd1b31cc352866a590ed864fb1b17ae8cef921d0f3563314bc4d81fa0ab5ddba164b6283298cfcaa770

      • memory/744-51-0x000001AE4F490000-0x000001AE4F491000-memory.dmp

        Filesize

        4KB

      • memory/744-46-0x0000000010000000-0x000000001001E000-memory.dmp

        Filesize

        120KB

      • memory/2896-30-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-41-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

      • memory/2896-27-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-28-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-52-0x0000000003060000-0x000000000311E000-memory.dmp

        Filesize

        760KB

      • memory/2896-36-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-31-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-26-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-32-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-29-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-34-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-35-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-40-0x0000000000400000-0x0000000000472000-memory.dmp

        Filesize

        456KB

      • memory/2896-53-0x0000000003160000-0x0000000003429000-memory.dmp

        Filesize

        2.8MB

      • memory/2896-33-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/2896-37-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

      • memory/3620-6-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-14-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-4-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-5-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-2-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-7-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-8-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-9-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-10-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-17-0x0000000000421000-0x0000000000422000-memory.dmp

        Filesize

        4KB

      • memory/3620-18-0x0000000000400000-0x0000000000472000-memory.dmp

        Filesize

        456KB

      • memory/3620-11-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-12-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-13-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/3620-15-0x0000000003110000-0x0000000003139000-memory.dmp

        Filesize

        164KB

      • memory/3620-3-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

        Filesize

        4KB

      • memory/4508-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-72-0x0000000000421000-0x0000000000422000-memory.dmp

        Filesize

        4KB

      • memory/4508-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-73-0x0000000000400000-0x0000000000472000-memory.dmp

        Filesize

        456KB

      • memory/4508-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/4508-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.