Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

NEAS.4fe6f...f4.exe

windows7-x64

1

NEAS.4fe6f...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2023, 11:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe

  • Size

    1.4MB

  • MD5

    a6c81a90d72b2ca218b6a74996f62e46

  • SHA1

    6ee3282f253d4c117b87c27519505e4b238079f4

  • SHA256

    4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

  • SHA512

    411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc

  • SSDEEP

    24576:US9nR7hC+aARWXVa5RZLVUIICx0TcoXicHVf+ppJ7W:VkiiCxjoBHVf+pT7W

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 33 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3556
  • C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
    C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
      C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
      2⤵
      • Executes dropped EXE
      PID:4180
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:800
  • C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe
    C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe
    1⤵
    • Executes dropped EXE
    PID:1452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 432
      2⤵
      • Program crash
      PID:1128
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1452 -ip 1452
    1⤵
      PID:2568

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      140.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      208.194.73.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      208.194.73.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      254.177.238.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      254.177.238.8.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      39.142.81.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      39.142.81.104.in-addr.arpa
      IN PTR
      Response
      39.142.81.104.in-addr.arpa
      IN PTR
      a104-81-142-39deploystaticakamaitechnologiescom
    • flag-us
      DNS
      45.19.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      45.19.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=11CAD24C20B365B90446C18A211964A9; domain=.bing.com; expires=Thu, 05-Dec-2024 11:25:14 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 3C28481DCAB84FF199EB548CCE72308F Ref B: DUS30EDGE0716 Ref C: 2023-11-11T11:25:14Z
      date: Sat, 11 Nov 2023 11:25:13 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=11CAD24C20B365B90446C18A211964A9
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 2054F391C826434E90792F1DF55772E8 Ref B: DUS30EDGE0716 Ref C: 2023-11-11T11:25:14Z
      date: Sat, 11 Nov 2023 11:25:14 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=11CAD24C20B365B90446C18A211964A9
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 8BD3EF81607E4C43903F05DB15D00AB8 Ref B: DUS30EDGE0716 Ref C: 2023-11-11T11:25:14Z
      date: Sat, 11 Nov 2023 11:25:14 GMT
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.136.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.136.104.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      17.14.97.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.14.97.104.in-addr.arpa
      IN PTR
      Response
      17.14.97.104.in-addr.arpa
      IN PTR
      a104-97-14-17deploystaticakamaitechnologiescom
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301116_1M7A7DN1J7VJ6Q24K&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301116_1M7A7DN1J7VJ6Q24K&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 283049
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B56256C25BD1400997B25F1A3364209B Ref B: AMS04EDGE1613 Ref C: 2023-11-11T11:25:50Z
      date: Sat, 11 Nov 2023 11:25:49 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301520_1VZ36M7X5V8VSKYZT&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301520_1VZ36M7X5V8VSKYZT&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 309734
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D24CB271D4C741B690DF0A737BEFD5FD Ref B: AMS04EDGE1613 Ref C: 2023-11-11T11:25:50Z
      date: Sat, 11 Nov 2023 11:25:49 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317300993_1XJBTU2LFRRLT6P36&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317300993_1XJBTU2LFRRLT6P36&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 162772
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1D732BF55A6B4D11936A0503A18FB80D Ref B: AMS04EDGE1613 Ref C: 2023-11-11T11:25:50Z
      date: Sat, 11 Nov 2023 11:25:49 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301087_1JF1MB0F5ZW0KC0CE&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301087_1JF1MB0F5ZW0KC0CE&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 314922
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 894F01B869884EC7B8212BCD59CEC91A Ref B: AMS04EDGE1613 Ref C: 2023-11-11T11:26:01Z
      date: Sat, 11 Nov 2023 11:26:00 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301426_1IEC2H6Y0UOWUNEEE&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301426_1IEC2H6Y0UOWUNEEE&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 171408
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F04D6A69530E4A6D99A37F9206101C53 Ref B: AMS04EDGE1613 Ref C: 2023-11-11T11:26:01Z
      date: Sat, 11 Nov 2023 11:26:01 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301549_1BX85FTNXWTEEC6IG&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301549_1BX85FTNXWTEEC6IG&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 263083
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F449841BFC9E48758911193DEE0DBE24 Ref B: AMS04EDGE1613 Ref C: 2023-11-11T11:26:02Z
      date: Sat, 11 Nov 2023 11:26:01 GMT
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      193.241.85.80.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      193.241.85.80.in-addr.arpa
      IN PTR
      Response
      193.241.85.80.in-addr.arpa
      IN PTR
      utopian-toyaezanetwork
    • flag-it
      GET
      http://185.196.9.161/dats.exe
      InstallUtil.exe
      Remote address:
      185.196.9.161:80
      Request
      GET /dats.exe HTTP/1.1
      Host: 185.196.9.161
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sat, 11 Nov 2023 11:26:10 GMT
      Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
      Last-Modified: Fri, 10 Nov 2023 23:10:59 GMT
      ETag: "39bc0-609d46ef8358e"
      Accept-Ranges: bytes
      Content-Length: 236480
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-msdownload
    • flag-us
      DNS
      161.9.196.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      161.9.196.185.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid=
      tls, http2
      1.9kB
       9.3kB
       21
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a4f1560d5794ecc8bc45ded64c6419d&localId=w:89B8D205-8CFC-95D0-82E1-69C8AAEBCCE5&deviceId=6755455394418612&anid=

      HTTP Response

      204
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301549_1BX85FTNXWTEEC6IG&pid=21.2&w=1080&h=1920&c=4
      tls, http2
      54.6kB
       1.6MB
       1147
      1144

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301116_1M7A7DN1J7VJ6Q24K&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301520_1VZ36M7X5V8VSKYZT&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317300993_1XJBTU2LFRRLT6P36&pid=21.2&w=1920&h=1080&c=4

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301087_1JF1MB0F5ZW0KC0CE&pid=21.2&w=1920&h=1080&c=4

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301426_1IEC2H6Y0UOWUNEEE&pid=21.2&w=1080&h=1920&c=4

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301549_1BX85FTNXWTEEC6IG&pid=21.2&w=1080&h=1920&c=4

      HTTP Response

      200
    • 80.85.241.193:58001
      InstallUtil.exe
      482 B
       352 B
       7
      6
    • 185.196.9.161:80
      http://185.196.9.161/dats.exe
      http
      InstallUtil.exe
      4.3kB
       243.9kB
       92
      177

      HTTP Request

      GET http://185.196.9.161/dats.exe

      HTTP Response

      200
    • 80.85.241.193:58001
      InstallUtil.exe
      452 B
       172 B
       6
      4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      140.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      140.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      208.194.73.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      208.194.73.20.in-addr.arpa

    • 8.8.8.8:53
      254.177.238.8.in-addr.arpa
      dns
      72 B
       126 B
       1
      1

      DNS Request

      254.177.238.8.in-addr.arpa

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      39.142.81.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      39.142.81.104.in-addr.arpa

    • 8.8.8.8:53
      45.19.74.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      45.19.74.20.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       158 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      2.136.104.51.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      2.136.104.51.in-addr.arpa

    • 8.8.8.8:53
      17.14.97.104.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      17.14.97.104.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       173 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      193.241.85.80.in-addr.arpa
      dns
      72 B
       110 B
       1
      1

      DNS Request

      193.241.85.80.in-addr.arpa

    • 8.8.8.8:53
      161.9.196.185.in-addr.arpa
      dns
      72 B
       141 B
       1
      1

      DNS Request

      161.9.196.185.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
      Filesize

      1.4MB

      MD5

      a6c81a90d72b2ca218b6a74996f62e46

      SHA1

      6ee3282f253d4c117b87c27519505e4b238079f4

      SHA256

      4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

      SHA512

      411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc

      Download Submit

    • C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
      Filesize

      1.4MB

      MD5

      a6c81a90d72b2ca218b6a74996f62e46

      SHA1

      6ee3282f253d4c117b87c27519505e4b238079f4

      SHA256

      4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

      SHA512

      411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc

      Download Submit

    • C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
      Filesize

      1.4MB

      MD5

      a6c81a90d72b2ca218b6a74996f62e46

      SHA1

      6ee3282f253d4c117b87c27519505e4b238079f4

      SHA256

      4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

      SHA512

      411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe.log
      Filesize

      1KB

      MD5

      84a01db52ea5a878520e162c80acfcd3

      SHA1

      49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

      SHA256

      25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

      SHA512

      0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe
      Filesize

      230KB

      MD5

      99429748908f36ca97c4f69ff3b5225f

      SHA1

      0b72d4875765354c185a2a854e3f0be2bdaf9b53

      SHA256

      f17ae0a90c9b00001bfe421ab271e7973a1ad14bfdad235ff025ccd617de6b71

      SHA512

      8355b93acba30b59522602d7ec945ad8049edfbe5fa9e71b8b3b0eba4e3dbc578e931d8a642f6c77402473c54c8aa9cdbaf1375fd686ac77b2dbd5a1b4885235

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe
      Filesize

      230KB

      MD5

      99429748908f36ca97c4f69ff3b5225f

      SHA1

      0b72d4875765354c185a2a854e3f0be2bdaf9b53

      SHA256

      f17ae0a90c9b00001bfe421ab271e7973a1ad14bfdad235ff025ccd617de6b71

      SHA512

      8355b93acba30b59522602d7ec945ad8049edfbe5fa9e71b8b3b0eba4e3dbc578e931d8a642f6c77402473c54c8aa9cdbaf1375fd686ac77b2dbd5a1b4885235

      Download Submit

    • memory/800-2205-0x0000023532980000-0x0000023532990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/800-2204-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/800-4379-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/800-4382-0x0000023532980000-0x0000023532990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/800-4383-0x0000023532980000-0x0000023532990000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1452-4386-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1452-4392-0x0000000000740000-0x0000000000978000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2376-5-0x000001C953050000-0x000001C953118000-memory.dmp

      Filesize

      800KB

      Download

    • memory/2376-6-0x000001C953260000-0x000001C953328000-memory.dmp

      Filesize

      800KB

      Download

    • memory/2376-82-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2376-7-0x000001C953330000-0x000001C95337C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2376-0-0x000001C9388B0000-0x000001C938A12000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2376-4-0x000001C952F70000-0x000001C953050000-memory.dmp

      Filesize

      896KB

      Download

    • memory/2376-3-0x000001C93A7B0000-0x000001C93A7C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2376-2-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2376-1-0x000001C93A7C0000-0x000001C93A8A0000-memory.dmp

      Filesize

      896KB

      Download

    • memory/3556-22-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-2186-0x0000017F181B0000-0x0000017F181B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3556-36-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-38-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-40-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-42-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-44-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-46-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-48-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-50-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-52-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-54-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-56-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-58-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-60-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-62-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-64-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-66-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-68-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-70-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-72-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-74-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-32-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-34-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-2187-0x0000017F181C0000-0x0000017F18216000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3556-2188-0x0000017F185B0000-0x0000017F18604000-memory.dmp

      Filesize

      336KB

      Download

    • memory/3556-30-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-2191-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3556-28-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-26-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-8-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/3556-10-0x0000017F7E020000-0x0000017F7E104000-memory.dmp

      Filesize

      912KB

      Download

    • memory/3556-24-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-11-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3556-12-0x0000017F7D890000-0x0000017F7D8A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3556-13-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-20-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-18-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-14-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3556-16-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/4584-2206-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4584-2201-0x000001DF8A850000-0x000001DF8A860000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4584-2200-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5012-2199-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5012-2195-0x000002D5FEE50000-0x000002D5FEE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5012-2194-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.