Overview

overview

10

Static

static

10

西游网络.exe

windows7-x64

3

西游网络.exe

windows10-2004-x64

3

LYdlq.exe

windows7-x64

10

LYdlq.exe

windows10-2004-x64

10

lsass.exe

windows7-x64

10

lsass.exe

windows10-2004-x64

10

�...��.exe

windows7-x64

7

�...��.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 16:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LYdlq.exe

  • Size

    138KB

  • MD5

    c7a8c4ebf18c5d5b4c06bdfdacd4c8f0

  • SHA1

    d25db0d0a267dd753ce85ab27d23f11545852679

  • SHA256

    7a21021900e30cfc62c447a8407301cd98f659e1b453b0070b2ee653279553c0

  • SHA512

    a2093d2bdd09121b57dc1561cd8c55730353b81c8474d0676bf6f8ecf7f5f5725814f3fa45b6801eb967d52a957b53c7db1ba5e954abd94cfe4c55245b2dcaab

  • SSDEEP

    3072:PW62gp7fl2fHrV3hUJ654M8v27qb02QxH21MUW:+ZMDl+rVwlMuy92QU2R

Score
10/10
gh0stratdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LYdlq.exe
    "C:\Users\Admin\AppData\Local\Temp\LYdlq.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5776
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\LYdlq.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4496
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\svchest.exe
    1⤵
      PID:4452
    • C:\Windows\SysWOW64\svchest.exe
      C:\Windows\SysWOW64\svchest.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4520

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=07EB703087E66AE502B6658F86066B83; domain=.bing.com; expires=Fri, 24-Apr-2026 16:01:35 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 09C0724B406C4D72BA440994D0E8AA50 Ref B: LON04EDGE1111 Ref C: 2025-03-30T16:01:35Z
      date: Sun, 30 Mar 2025 16:01:35 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=07EB703087E66AE502B6658F86066B83
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=XUgwg-md5kKfScHXGXutJNnuhanF3ckOSR6n3UEikyE; domain=.bing.com; expires=Fri, 24-Apr-2026 16:01:35 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E423FA6E7D2F4D519AC113A48C37B60A Ref B: LON04EDGE1111 Ref C: 2025-03-30T16:01:35Z
      date: Sun, 30 Mar 2025 16:01:35 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=07EB703087E66AE502B6658F86066B83; MSPTC=XUgwg-md5kKfScHXGXutJNnuhanF3ckOSR6n3UEikyE
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0D989BB77AAC4D77A576E59E8AF4B563 Ref B: LON04EDGE1111 Ref C: 2025-03-30T16:01:35Z
      date: Sun, 30 Mar 2025 16:01:35 GMT
    • flag-us
      DNS
      31971.3322.org
      svchest.exe
      Remote address:
      8.8.8.8:53
      Request
      31971.3322.org
      IN A
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388254_1IENGPSOJTS7HYCM7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388254_1IENGPSOJTS7HYCM7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 538668
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 887C9961ED4A42799ABB288DC9CB530A Ref B: LON04EDGE0612 Ref C: 2025-03-30T16:02:08Z
      date: Sun, 30 Mar 2025 16:02:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 591970
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4EEC4A267AFB4210988FFBBF8D207F48 Ref B: LON04EDGE0612 Ref C: 2025-03-30T16:02:08Z
      date: Sun, 30 Mar 2025 16:02:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239359955652_1UH15L5Z2LXM3P8PA&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239359955652_1UH15L5Z2LXM3P8PA&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 504006
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C8D30A25E25843FFB2E0FA52ED57B60C Ref B: LON04EDGE0612 Ref C: 2025-03-30T16:02:08Z
      date: Sun, 30 Mar 2025 16:02:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 474395
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 8C4FB459F0EA4E209D3A9C8DE9E4DBC9 Ref B: LON04EDGE0612 Ref C: 2025-03-30T16:02:08Z
      date: Sun, 30 Mar 2025 16:02:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388255_1MIA06XHN715LZGV9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388255_1MIA06XHN715LZGV9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 472465
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 07695ED7B5D0488C91999A56D813D170 Ref B: LON04EDGE0612 Ref C: 2025-03-30T16:02:08Z
      date: Sun, 30 Mar 2025 16:02:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 498769
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C4F13C98451E4237A69F515A75FA4084 Ref B: LON04EDGE0612 Ref C: 2025-03-30T16:02:09Z
      date: Sun, 30 Mar 2025 16:02:08 GMT
    • flag-us
      DNS
      c.pki.goog
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.187.227
    • flag-gb
      GET
      http://c.pki.goog/r/r1.crl
      Remote address:
      142.250.187.227:80
      Request
      GET /r/r1.crl HTTP/1.1
      Cache-Control: max-age = 3000
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 304 Not Modified
      Date: Sun, 30 Mar 2025 15:51:00 GMT
      Expires: Sun, 30 Mar 2025 16:41:00 GMT
      Age: 693
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Cache-Control: public, max-age=3000
      Vary: Accept-Encoding
    • flag-us
      DNS
      31971.3322.org
      svchest.exe
      Remote address:
      8.8.8.8:53
      Request
      31971.3322.org
      IN A
      Response
    • 150.171.28.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
      tls, http2
      2.5kB
       9.3kB
       22
      17

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=328034ac253748269f2ea8820397a6e5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

      HTTP Response

      204
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 150.171.27.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      110.0kB
       3.2MB
       2316
      2311

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388254_1IENGPSOJTS7HYCM7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239359955652_1UH15L5Z2LXM3P8PA&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388255_1MIA06XHN715LZGV9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239359955653_16Q8BS61PKT108CUW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 142.250.187.227:80
      http://c.pki.goog/r/r1.crl
      http
      476 B
       394 B
       6
      4

      HTTP Request

      GET http://c.pki.goog/r/r1.crl

      HTTP Response

      304
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      31971.3322.org
      dns
      svchest.exe
      60 B
       124 B
       1
      1

      DNS Request

      31971.3322.org

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       170 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      c.pki.goog
      dns
      56 B
       107 B
       1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.187.227

    • 8.8.8.8:53
      31971.3322.org
      dns
      svchest.exe
      60 B
       124 B
       1
      1

      DNS Request

      31971.3322.org

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\svchest.exe
      Filesize

      138KB

      MD5

      c7a8c4ebf18c5d5b4c06bdfdacd4c8f0

      SHA1

      d25db0d0a267dd753ce85ab27d23f11545852679

      SHA256

      7a21021900e30cfc62c447a8407301cd98f659e1b453b0070b2ee653279553c0

      SHA512

      a2093d2bdd09121b57dc1561cd8c55730353b81c8474d0676bf6f8ecf7f5f5725814f3fa45b6801eb967d52a957b53c7db1ba5e954abd94cfe4c55245b2dcaab

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.