hxxp://m[.]worldxcup[.]com

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 04:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://m.worldxcup.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
3604	msedge.exe
3604	msedge.exe
3588	identity_helper.exe
3588	identity_helper.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4560	3604	msedge.exe	84
PID 3604 wrote to memory of 4560	3604	msedge.exe	84
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 3916	3604	msedge.exe	86
PID 3604 wrote to memory of 1808	3604	msedge.exe	85
PID 3604 wrote to memory of 1808	3604	msedge.exe	85
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87
PID 3604 wrote to memory of 4276	3604	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://m.worldxcup.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2c1046f8,0x7fff2c104708,0x7fff2c104718
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4373818184217673097,3163496319326887768,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2188

Network

DNS

m.worldxcup.com

msedge.exe

Remote address:

8.8.8.8:53

Request

m.worldxcup.com

IN A

Response

m.worldxcup.com

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.224
GET

http://m.worldxcup.com/

msedge.exe

Remote address:

199.59.243.224:80

Request

GET / HTTP/1.1
Host: m.worldxcup.com
Connection: keep-alive
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

date: Sun, 03 Sep 2023 04:28:36 GMT
content-type: text/html; charset=utf-8
content-length: 1017
x-request-id: 0a005cf0-32f6-40c4-9e9a-cdf7211a2c34
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kF52/J5y4ecWI6Pn2q9VmXw+C9DyfTs1ewH1Bwcjq9W2BH+SHX5yAn4wW++wqzPYLXtFb4KuDvhb4x38oTVPBA==
set-cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34; expires=Sun, 03 Sep 2023 04:43:37 GMT; path=/
GET

http://m.worldxcup.com/aPrxYydVX.js

msedge.exe

Remote address:

199.59.243.224:80

Request

GET /aPrxYydVX.js HTTP/1.1
Host: m.worldxcup.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Referer: http://m.worldxcup.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34

Response

HTTP/1.1 200 OK

date: Sun, 03 Sep 2023 04:28:37 GMT
content-type: application/javascript; charset=utf-8
content-length: 68406
x-request-id: 8ade1300-3076-4e13-81e1-afaae41c14fd
set-cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34; expires=Sun, 03 Sep 2023 04:43:37 GMT
POST

http://m.worldxcup.com/_fd

msedge.exe

Remote address:

199.59.243.224:80

Request

POST /_fd HTTP/1.1
Host: m.worldxcup.com
Connection: keep-alive
Content-Length: 0
Accept: application/json
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Content-Type: application/json
Origin: http://m.worldxcup.com
Referer: http://m.worldxcup.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34

Response

HTTP/1.1 200 OK

server: openresty
date: Sun, 03 Sep 2023 04:28:36 GMT
content-type: text/html; charset=UTF-8
content-encoding: gzip
content-length: 2377
cache-control: no-cache
x-version: 2.106.5
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-store, must-revalidate
cache-control: post-check=0, pre-check=0
pragma: no-cache
set-cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34; expires=Sun, 03 Sep 2023 04:43:37 GMT; Max-Age=900; path=/; httponly
GET

http://m.worldxcup.com/px.gif?ch=1&rn=7.295485623330426

msedge.exe

Remote address:

199.59.243.224:80

Request

GET /px.gif?ch=1&rn=7.295485623330426 HTTP/1.1
Host: m.worldxcup.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://m.worldxcup.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34

Response

HTTP/1.1 200 OK

server: openresty
date: Sun, 03 Sep 2023 04:28:37 GMT
content-type: image/gif
content-length: 42
last-modified: Tue, 18 Jul 2023 15:33:43 GMT
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-cache
cache-control: no-store, must-revalidate
cache-control: post-check=0, pre-check=0
pragma: no-cache
accept-ranges: bytes
GET

http://m.worldxcup.com/px.gif?ch=2&rn=7.295485623330426

msedge.exe

Remote address:

199.59.243.224:80

Request

GET /px.gif?ch=2&rn=7.295485623330426 HTTP/1.1
Host: m.worldxcup.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://m.worldxcup.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34

Response

HTTP/1.1 200 OK

server: openresty
date: Sun, 03 Sep 2023 04:28:37 GMT
content-type: image/gif
content-length: 42
last-modified: Tue, 18 Jul 2023 15:33:43 GMT
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-cache
cache-control: no-store, must-revalidate
cache-control: post-check=0, pre-check=0
pragma: no-cache
accept-ranges: bytes
POST

http://m.worldxcup.com/_tr

msedge.exe

Remote address:

199.59.243.224:80

Request

POST /_tr HTTP/1.1
Host: m.worldxcup.com
Connection: keep-alive
Content-Length: 1557
Accept: application/json
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Content-Type: application/json
Origin: http://m.worldxcup.com
Referer: http://m.worldxcup.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34; __gsas=ID=407bf336c172c9fc:T=1693715319:RT=1693715319:S=ALNI_MbZjNcpp9Ty5-8_CrR2-DhuWav4kg

Response

HTTP/1.1 200 OK

server: openresty
date: Sun, 03 Sep 2023 04:28:38 GMT
content-type: text/html; charset=UTF-8
content-encoding: gzip
content-length: 22
cache-control: no-cache
x-version: 2.106.5
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-store, must-revalidate
cache-control: post-check=0, pre-check=0
pragma: no-cache
set-cookie: parking_session=0a005cf0-32f6-40c4-9e9a-cdf7211a2c34; expires=Sun, 03 Sep 2023 04:43:39 GMT; Max-Age=900; path=/; httponly
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

224.243.59.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.243.59.199.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
DNS

partner.googleadservices.com

msedge.exe

Remote address:

8.8.8.8:53

Request

partner.googleadservices.com

IN A

Response

partner.googleadservices.com

IN CNAME

partner46.googleadservices.com

partner46.googleadservices.com

IN A

142.251.36.2
GET

https://partner.googleadservices.com/gampad/cookie.js?domain=m.worldxcup.com&client=dp-bodis30_3ph&product=SAS&callback=__sasCookie

msedge.exe

Remote address:

142.251.36.2:443

Request

GET /gampad/cookie.js?domain=m.worldxcup.com&client=dp-bodis30_3ph&product=SAS&callback=__sasCookie HTTP/2.0
host: partner.googleadservices.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: http://m.worldxcup.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

afs.googleusercontent.com

msedge.exe

Remote address:

8.8.8.8:53

Request

afs.googleusercontent.com

IN A

Response

afs.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

142.251.36.1
GET

https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%2302198b

msedge.exe

Remote address:

142.251.36.1:443

Request

GET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%2302198b HTTP/2.0
host: afs.googleusercontent.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/call_to_action_arrow.svg?c=%23ffffff

msedge.exe

Remote address:

142.251.36.1:443

Request

GET /ad_icons/standard/publisher_icon_image/call_to_action_arrow.svg?c=%23ffffff HTTP/2.0
host: afs.googleusercontent.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://www.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

parking3.parklogic.com

msedge.exe

Remote address:

8.8.8.8:53

Request

parking3.parklogic.com

IN A

Response

parking3.parklogic.com

IN A

45.79.244.209
GET

https://parking3.parklogic.com/page/enhance.js?pcId=7&pId=1129&domain=Worldxcup.com

msedge.exe

Remote address:

45.79.244.209:443

Request

GET /page/enhance.js?pcId=7&pId=1129&domain=Worldxcup.com HTTP/1.1
Host: parking3.parklogic.com
Connection: keep-alive
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Referer: http://m.worldxcup.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

date: Sun, 03 Sep 2023 04:28:39 GMT
server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.5.38
x-powered-by: PHP/5.5.38
transfer-encoding: chunked
content-type: text/javascript;charset=UTF-8
connection: close
DNS

1.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.36.251.142.in-addr.arpa

IN PTR

Response

1.36.251.142.in-addr.arpa

IN PTR

ams15s44-in-f11e100net
DNS

2.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.36.251.142.in-addr.arpa

IN PTR

Response

2.36.251.142.in-addr.arpa

IN PTR

ams15s44-in-f21e100net
GET

https://parking3.parklogic.com/page/images/pe262/hero_nc.svg

msedge.exe

Remote address:

45.79.244.209:443

Request

GET /page/images/pe262/hero_nc.svg HTTP/1.1
Host: parking3.parklogic.com
Connection: keep-alive
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://m.worldxcup.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

date: Sun, 03 Sep 2023 04:28:40 GMT
server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.5.38
last-modified: Mon, 08 Mar 2021 23:04:00 GMT
etag: "bbe1-5bd0e72fe1800"
accept-ranges: bytes
content-length: 48097
content-type: image/svg+xml
connection: close
DNS

www.namecheap.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.namecheap.com

IN A

Response

www.namecheap.com

IN CNAME

www.namecheap.com.cdn.cloudflare.net

www.namecheap.com.cdn.cloudflare.net

IN A

104.16.99.56

www.namecheap.com.cdn.cloudflare.net

IN A

104.16.100.56
DNS

209.244.79.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.244.79.45.in-addr.arpa

IN PTR

Response

209.244.79.45.in-addr.arpa

IN PTR

45-79-244-209iplinodeusercontentcom
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

240.81.21.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.81.21.72.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

169.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.117.168.52.in-addr.arpa

IN PTR

Response

199.59.243.224:80

http://m.worldxcup.com/_fd

http

msedge.exe

3.1kB
76.3kB
39
67

HTTP Request

GET http://m.worldxcup.com/

HTTP Response

200

HTTP Request

GET http://m.worldxcup.com/aPrxYydVX.js

HTTP Response

200

HTTP Request

POST http://m.worldxcup.com/_fd

HTTP Response

200
199.59.243.224:80

http://m.worldxcup.com/px.gif?ch=1&rn=7.295485623330426

http

msedge.exe

796 B
649 B
7
6

HTTP Request

GET http://m.worldxcup.com/px.gif?ch=1&rn=7.295485623330426

HTTP Response

200
199.59.243.224:80

http://m.worldxcup.com/_tr

http

msedge.exe

3.1kB
1.3kB
11
10

HTTP Request

GET http://m.worldxcup.com/px.gif?ch=2&rn=7.295485623330426

HTTP Response

200

HTTP Request

POST http://m.worldxcup.com/_tr

HTTP Response

200
142.251.36.2:443

https://partner.googleadservices.com/gampad/cookie.js?domain=m.worldxcup.com&client=dp-bodis30_3ph&product=SAS&callback=__sasCookie

tls, http2

msedge.exe

1.9kB
7.3kB
16
17

HTTP Request

GET https://partner.googleadservices.com/gampad/cookie.js?domain=m.worldxcup.com&client=dp-bodis30_3ph&product=SAS&callback=__sasCookie
142.251.36.1:443

https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/call_to_action_arrow.svg?c=%23ffffff

tls, http2

msedge.exe

2.1kB
12.3kB
18
20

HTTP Request

GET https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%2302198b

HTTP Request

GET https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/call_to_action_arrow.svg?c=%23ffffff
142.251.36.1:443

afs.googleusercontent.com

tls, http2

msedge.exe

1.0kB
10.7kB
10
11
45.79.244.209:443

https://parking3.parklogic.com/page/enhance.js?pcId=7&pId=1129&domain=Worldxcup.com

tls, http

msedge.exe

1.7kB
7.5kB
12
13

HTTP Request

GET https://parking3.parklogic.com/page/enhance.js?pcId=7&pId=1129&domain=Worldxcup.com

HTTP Response

200
45.79.244.209:443

https://parking3.parklogic.com/page/images/pe262/hero_nc.svg

tls, http

msedge.exe

2.4kB
50.6kB
25
40

HTTP Request

GET https://parking3.parklogic.com/page/images/pe262/hero_nc.svg

HTTP Response

200

8.8.8.8:53

m.worldxcup.com

dns

msedge.exe

61 B
103 B
1
1

DNS Request

m.worldxcup.com

DNS Response

199.59.243.224
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

224.243.59.199.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

224.243.59.199.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
8.8.8.8:53

partner.googleadservices.com

dns

msedge.exe

74 B
114 B
1
1

DNS Request

partner.googleadservices.com

DNS Response

142.251.36.2
8.8.8.8:53

afs.googleusercontent.com

dns

msedge.exe

71 B
116 B
1
1

DNS Request

afs.googleusercontent.com

DNS Response

142.251.36.1
8.8.8.8:53

parking3.parklogic.com

dns

msedge.exe

68 B
84 B
1
1

DNS Request

parking3.parklogic.com

DNS Response

45.79.244.209
8.8.8.8:53

1.36.251.142.in-addr.arpa

dns

71 B
109 B
1
1

DNS Request

1.36.251.142.in-addr.arpa
8.8.8.8:53

2.36.251.142.in-addr.arpa

dns

71 B
109 B
1
1

DNS Request

2.36.251.142.in-addr.arpa
8.8.8.8:53

www.namecheap.com

dns

msedge.exe

63 B
145 B
1
1

DNS Request

www.namecheap.com

DNS Response

104.16.99.56

104.16.100.56
8.8.8.8:53

209.244.79.45.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

209.244.79.45.in-addr.arpa
224.0.0.251:5353

459 B
7
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

240.81.21.72.in-addr.arpa

dns

71 B
142 B
1
1

DNS Request

240.81.21.72.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

169.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

169.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d686809520430031d6ecf2c8de5f735

SHA1
64e3932e857e1b34077e1b7793f40ad35abaf6b8

SHA256
c5f61a0a6d91e818e9ada3e527de4a5975767d6425823b33ea107cec0c99874b

SHA512
8a5adfc8d90f0752672879cf18f55be8e80e36e2a7bdf281ee3967f9953413dc31c33a0b52ada169c3f628896a28caba1769d8d33874903260ad6c8d5a925e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
c88495b27bb47b2aa8164f400c150876

SHA1
176aa5e1b846dc11e34c8f0083c3a3bdebf90f16

SHA256
4269afceef7bab7fd0ca9229697a8eef3cafb287fef2f7a1e921ba1850878c09

SHA512
87cd2ec65c950c318fd0ebf03230a0c7ad417769471ece74c83ff35b781fbd4c9e71aedeb65f0d92ec28e7dba05d2e8f9e0b5cc67805fe7fbc34817e09de867a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
804B

MD5
4b900760b4c340c52bfee1990201296c

SHA1
ac06b049cccfa2894b68442344466e918c9ee48b

SHA256
0431c667c31a0bc6d6857a174d5112c8f2adf37729dbe72fc3425ef6949eeec6

SHA512
9bc7755006ad471c9537a978b91224f4501ba7128adbe7b4bb97427ba57f3c3bc11633ac143c0c9101a764f119d5a0bea06e79c20a9268df33daac6e0c0a5d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1731aaa8fc3b1572fe38970d5aa32874

SHA1
96714d88b0ad394b41a516d07d9e6221e84586f6

SHA256
2387a28fcff4f34af46b260a4df00ef10fe3e91262a86512aa5abbce2860b1ce

SHA512
8e781cda56b6aede694a876463b0fb3e5964edc41efbc3e2829af2ebf5fa0599c365d29267c5f757b32604e522f58cc1d51f843f015be7dcec67627bc794f245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ba99267faaecb534342a23edff7d96d

SHA1
346515569af6a42405d751926ee6299e7ff6d5f8

SHA256
594bc5c58da0f7cca39b63ab1436f0ebac2bf1d057b9c26d80eb2430e31fa388

SHA512
0b04fe51b1b45b1c0e62b8803d1eb27f9cbaf034122404a48c7e1e97b9f053784fff689253668acf1c860b61b641c6746022dc6d2d617f4157ecb20025f628c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0ea195b890a87594deb9c6aa963c1426

SHA1
4065f3fe0b70940a968f2ca342bac336be048082

SHA256
c51961b927f80537702a7ff5f77501c1e088cbfcc22199675400ea88876f4ef9

SHA512
59ae3e1e530b5c081089ee615fb5d227a1964068bcda421de1319e958438353bbed8ca275897deb097a564a6a60400e1faf6c3e1aa5764d1fbba15bdc1d9ddf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
200ea27b01cd199b370612b82e0b2ed9

SHA1
aad956bd4fea2863d6369172c1ede43736110308

SHA256
1322b18dc900a605aeb34c5d548dd93dfe5182f663039dc43229da7ee0cc97d5

SHA512
7320f92f88204099cb0ab275868f4061f2fc820a2aa20cc6cb2e972ee59ad317e28689a7f1b58331397fb99daa39c4d5b089ec89f0ea7edfc1e13d7597cd4ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3de23d7d9e1d93a8342dd709f0fd3c56

SHA1
1d4f66393f13b7cec34346b2505a103460f5c469

SHA256
dd29c802263ae31674d7d6db4ccb38fdf989c4a956f82b71d738f06055375a61

SHA512
486ee66c2eeafa0c535bf1a720bbbe4721414f89e36d5d68ad41583bbf8ed58cc000113689b2702d0a5bf75ca5ec29fadb42751ce47830489e719c29e3ba92ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.