0a8b4703517118f05483c8d7f3416130f1e8cb5e512fd4a756c2fb4ada2cd43f | Triage

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 13:17 UTC

Sharing

Report Analysis Logs

General

Target

211da615bc1c5bda63e8ed3caecaf68b.exe
Size

501KB
MD5

211da615bc1c5bda63e8ed3caecaf68b
SHA1

818ee48249335fc10b8b6fc42fca35bb66e9a95a
SHA256

0a8b4703517118f05483c8d7f3416130f1e8cb5e512fd4a756c2fb4ada2cd43f
SHA512

39cf4441d480647eb23f0744a86b5e2af62850da9d44ac096613ce1a085a7ed720b6903a4c909a7bb1f8277e4c5274e30ddff894eb3595cbeafa0a1cac71aabd
SSDEEP

12288:vRjPijdsbNjk1gl0cDdvC1wG1/fKyXzaVY0A5:vVmd4jBxvI1/fKyXzr0

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4604	211da615bc1c5bda63e8ed3caecaf68b.exe

Executes dropped EXE 1 IoCs

pid	Process
4604	211da615bc1c5bda63e8ed3caecaf68b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1216-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/4604-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0007000000023222-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
2304	4604	WerFault.exe	33
2960	4604	WerFault.exe	33
1808	4604	WerFault.exe	33
680	4604	WerFault.exe	33
552	4604	WerFault.exe	33
2456	4604	WerFault.exe	33
740	4604	WerFault.exe	33
3116	4604	WerFault.exe	33
2232	4604	WerFault.exe	33
3524	4604	WerFault.exe	33
400	4604	WerFault.exe	33
4588	4604	WerFault.exe	33
4376	4604	WerFault.exe	33
4960	4604	WerFault.exe	33
1704	4604	WerFault.exe	33
4364	4604	WerFault.exe	33
3712	4604	WerFault.exe	33
3484	4604	WerFault.exe	33

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2120	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	211da615bc1c5bda63e8ed3caecaf68b.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	211da615bc1c5bda63e8ed3caecaf68b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	211da615bc1c5bda63e8ed3caecaf68b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	211da615bc1c5bda63e8ed3caecaf68b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	211da615bc1c5bda63e8ed3caecaf68b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1216	211da615bc1c5bda63e8ed3caecaf68b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1216	211da615bc1c5bda63e8ed3caecaf68b.exe
4604	211da615bc1c5bda63e8ed3caecaf68b.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4604	1216	211da615bc1c5bda63e8ed3caecaf68b.exe	33
PID 1216 wrote to memory of 4604	1216	211da615bc1c5bda63e8ed3caecaf68b.exe	33
PID 1216 wrote to memory of 4604	1216	211da615bc1c5bda63e8ed3caecaf68b.exe	33
PID 4604 wrote to memory of 2120	4604	211da615bc1c5bda63e8ed3caecaf68b.exe	36
PID 4604 wrote to memory of 2120	4604	211da615bc1c5bda63e8ed3caecaf68b.exe	36
PID 4604 wrote to memory of 2120	4604	211da615bc1c5bda63e8ed3caecaf68b.exe	36
PID 4604 wrote to memory of 3908	4604	211da615bc1c5bda63e8ed3caecaf68b.exe	42
PID 4604 wrote to memory of 3908	4604	211da615bc1c5bda63e8ed3caecaf68b.exe	42
PID 4604 wrote to memory of 3908	4604	211da615bc1c5bda63e8ed3caecaf68b.exe	42
PID 3908 wrote to memory of 2548	3908	cmd.exe	44
PID 3908 wrote to memory of 2548	3908	cmd.exe	44
PID 3908 wrote to memory of 2548	3908	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe
"C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe
  C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\211da615bc1c5bda63e8ed3caecaf68b.exe" /TN xWvB9PLxff3d /F
    3⤵
    - Creates scheduled task(s)
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN xWvB9PLxff3d > C:\Users\Admin\AppData\Local\Temp\ticSmcL0.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN xWvB9PLxff3d
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 616
    3⤵
    - Program crash
    PID:2304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 648
    3⤵
    - Program crash
    PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 656
    3⤵
    - Program crash
    PID:1808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 760
    3⤵
    - Program crash
    PID:680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 780
    3⤵
    - Program crash
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 836
    3⤵
    - Program crash
    PID:2456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1456
    3⤵
    - Program crash
    PID:740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1860
    3⤵
    - Program crash
    PID:3116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1924
    3⤵
    - Program crash
    PID:2232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1928
    3⤵
    - Program crash
    PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1868
    3⤵
    - Program crash
    PID:400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2156
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1976
    3⤵
    - Program crash
    PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2096
    3⤵
    - Program crash
    PID:4960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1924
    3⤵
    - Program crash
    PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1980
    3⤵
    - Program crash
    PID:4364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2004
    3⤵
    - Program crash
    PID:3712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 648
    3⤵
    - Program crash
    PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4604 -ip 4604
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4604 -ip 4604
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4604 -ip 4604
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4604 -ip 4604
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 4604
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4604 -ip 4604
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4604 -ip 4604
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4604 -ip 4604
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4604 -ip 4604
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4604 -ip 4604
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 4604
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4604 -ip 4604
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4604 -ip 4604
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4604 -ip 4604
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4604 -ip 4604
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4604 -ip 4604
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4604 -ip 4604
1⤵
PID:4856

Network

DNS

16.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.53.126.40.in-addr.arpa

IN PTR

Response
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

40.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.134.221.88.in-addr.arpa

IN PTR

Response

40.134.221.88.in-addr.arpa

IN PTR

a88-221-134-40deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2E1A8F1CE41E62EA09419CEEE5FE6340; domain=.bing.com; expires=Sat, 18-Jan-2025 13:18:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F0BD114A5FF740369221491896604AF4 Ref B: LON04EDGE1222 Ref C: 2023-12-25T13:18:34Z
date: Mon, 25 Dec 2023 13:18:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E1A8F1CE41E62EA09419CEEE5FE6340

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=pIICuDuTJxpFd5UNi8THwG4y960DgRr2WLhE_I1cukc; domain=.bing.com; expires=Sat, 18-Jan-2025 13:18:34 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 946152B4810548E19A2C27B48B225B99 Ref B: LON04EDGE1222 Ref C: 2023-12-25T13:18:34Z
date: Mon, 25 Dec 2023 13:18:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E1A8F1CE41E62EA09419CEEE5FE6340; MSPTC=pIICuDuTJxpFd5UNi8THwG4y960DgRr2WLhE_I1cukc

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6FA12F36541045AD8DF500B2E382A4C3 Ref B: LON04EDGE1222 Ref C: 2023-12-25T13:18:34Z
date: Mon, 25 Dec 2023 13:18:34 GMT
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR
DNS

pastebin.com

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.68.143
DNS

pastebin.com

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR

Response
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR
DNS

cutit.org

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

8.8.8.8:53

Request

cutit.org

IN A

Response

cutit.org

IN A

64.91.240.248
GET

https://cutit.org/oxgBR

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

64.91.240.248:443

Request

GET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; pt-br; MZ608 Build/7.7.1-141-7-FLEM-UMTS-LA) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Host: cutit.org
Cache-Control: no-cache

Response

HTTP/1.1 302 Moved Temporarily

Date: Mon, 25 Dec 2023 13:19:20 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww1.cutit.org/oxgBR?usid=25&utid=4408218896
Content-Length: 0
Content-Type: text/html; charset=UTF-8
DNS

248.240.91.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

248.240.91.64.in-addr.arpa

IN PTR

Response

248.240.91.64.in-addr.arpa

IN PTR

crocodile parklogiccom
DNS

248.240.91.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

248.240.91.64.in-addr.arpa

IN PTR
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

32.169.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.169.19.2.in-addr.arpa

IN PTR

Response

32.169.19.2.in-addr.arpa

IN PTR

a2-19-169-32deploystaticakamaitechnologiescom
DNS

32.169.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.169.19.2.in-addr.arpa

IN PTR
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

193.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

193.179.17.96.in-addr.arpa

IN PTR

Response

193.179.17.96.in-addr.arpa

IN PTR

a96-17-179-193deploystaticakamaitechnologiescom
DNS

ww1.cutit.org

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

8.8.8.8:53

Request

ww1.cutit.org

IN A

Response

ww1.cutit.org

IN CNAME

sedoparking.com

sedoparking.com

IN A

64.190.63.136
DNS

ww1.cutit.org

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

8.8.8.8:53

Request

ww1.cutit.org

IN A
DNS

ww1.cutit.org

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

8.8.8.8:53

Request

ww1.cutit.org

IN A
GET

http://ww1.cutit.org/oxgBR?usid=25&utid=4408218896

211da615bc1c5bda63e8ed3caecaf68b.exe

Remote address:

64.190.63.136:80

Request

GET /oxgBR?usid=25&utid=4408218896 HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; pt-br; MZ608 Build/7.7.1-141-7-FLEM-UMTS-LA) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Cache-Control: no-cache
Host: ww1.cutit.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

date: Mon, 25 Dec 2023 13:19:23 GMT
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
vary: Accept-Encoding
x-powered-by: PHP/8.1.17
expires: Mon, 26 Jul 1997 05:00:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_ZTTetwnwT9D/3Z0BneXbNkh5oKVz1FDxVxPwzTSYxXnFw2OHiL2gM+4SIrdr6FO4hL3N73IGPM/PDVxPEmYkPA==
last-modified: Mon, 25 Dec 2023 13:19:23 GMT
x-cache-miss-from: parking-56c7b4c6cb-77z4s
server: NginX
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301524_1QHZ48X3FA5D7O1LG&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301524_1QHZ48X3FA5D7O1LG&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 130407
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D7806BC34E3E49B4AFA33998E568DD66 Ref B: LON04EDGE1215 Ref C: 2023-12-25T13:19:24Z
date: Mon, 25 Dec 2023 13:19:24 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301644_1VM6W540D06LTCJ4J&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301644_1VM6W540D06LTCJ4J&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 300283
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CC9A6E450D1247F486C7B97B41BB1737 Ref B: LON04EDGE1215 Ref C: 2023-12-25T13:19:24Z
date: Mon, 25 Dec 2023 13:19:24 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301246_1WJH3TXXVOGBRWUGS&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301246_1WJH3TXXVOGBRWUGS&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 628594
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CE82C36CF6BE4765BAD4895DA3300DB3 Ref B: LON04EDGE1215 Ref C: 2023-12-25T13:19:25Z
date: Mon, 25 Dec 2023 13:19:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301091_17CAP65GDSQMFV4JE&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301091_17CAP65GDSQMFV4JE&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 163903
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 45658C71507F42D1BA5CA067ABDAB42F Ref B: LON04EDGE1215 Ref C: 2023-12-25T13:19:25Z
date: Mon, 25 Dec 2023 13:19:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301235_1HF3YV71T1KJCXDY3&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301235_1HF3YV71T1KJCXDY3&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 358514
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F0F82BC381E7482285D93783742522D2 Ref B: LON04EDGE1215 Ref C: 2023-12-25T13:19:25Z
date: Mon, 25 Dec 2023 13:19:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301655_1DZQZV6Z7ZOAU893W&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301655_1DZQZV6Z7ZOAU893W&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 605112
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2B83C96271F64539B78028195BABB343 Ref B: LON04EDGE1215 Ref C: 2023-12-25T13:20:00Z
date: Mon, 25 Dec 2023 13:20:00 GMT
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

136.63.190.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.63.190.64.in-addr.arpa

IN PTR

Response
DNS

136.63.190.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.63.190.64.in-addr.arpa

IN PTR

Response
DNS

9.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.134.221.88.in-addr.arpa

IN PTR

Response

9.134.221.88.in-addr.arpa

IN PTR

a88-221-134-9deploystaticakamaitechnologiescom
DNS

9.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.134.221.88.in-addr.arpa

IN PTR

Response

9.134.221.88.in-addr.arpa

IN PTR

a88-221-134-9deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR
DNS

100.5.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.5.17.2.in-addr.arpa

IN PTR

Response

100.5.17.2.in-addr.arpa

IN PTR

a2-17-5-100deploystaticakamaitechnologiescom
DNS

100.5.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.5.17.2.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

56.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.134.221.88.in-addr.arpa

IN PTR

Response

56.134.221.88.in-addr.arpa

IN PTR

a88-221-134-56deploystaticakamaitechnologiescom
DNS

56.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.134.221.88.in-addr.arpa

IN PTR

Response

56.134.221.88.in-addr.arpa

IN PTR

a88-221-134-56deploystaticakamaitechnologiescom
DNS

8.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.179.89.13.in-addr.arpa

IN PTR

Response
DNS

8.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.179.89.13.in-addr.arpa

IN PTR

Response
DNS

43.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.134.221.88.in-addr.arpa

IN PTR

Response

43.134.221.88.in-addr.arpa

IN PTR

a88-221-134-43deploystaticakamaitechnologiescom
DNS

43.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.134.221.88.in-addr.arpa

IN PTR

52.142.223.178:80

104 B
2
204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid=

tls, http2

2.2kB
9.7kB
24
20

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee171670f85e4071ac6dabbc1984d2bd&localId=w:5CCFAF18-3F96-093A-F0B7-3C3E79A9C582&deviceId=6966554353444491&anid=

HTTP Response

204
104.20.67.143:443

pastebin.com

211da615bc1c5bda63e8ed3caecaf68b.exe

236 B
92 B
5
2
64.91.240.248:443

https://cutit.org/oxgBR

tls, http

211da615bc1c5bda63e8ed3caecaf68b.exe

1.2kB
3.9kB
14
9

HTTP Request

GET https://cutit.org/oxgBR

HTTP Response

302
64.190.63.136:80

http://ww1.cutit.org/oxgBR?usid=25&utid=4408218896

http

211da615bc1c5bda63e8ed3caecaf68b.exe

1.8kB
31.7kB
34
27

HTTP Request

GET http://ww1.cutit.org/oxgBR?usid=25&utid=4408218896

HTTP Response

200
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301655_1DZQZV6Z7ZOAU893W&pid=21.2&w=1080&h=1920&c=4

tls, http2

85.5kB
2.3MB
1669
1662

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301524_1QHZ48X3FA5D7O1LG&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301644_1VM6W540D06LTCJ4J&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301246_1WJH3TXXVOGBRWUGS&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301091_17CAP65GDSQMFV4JE&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301235_1HF3YV71T1KJCXDY3&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301655_1DZQZV6Z7ZOAU893W&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.3kB
17
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.8kB
8.7kB
19
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.8kB
8.7kB
19
13

8.8.8.8:53

16.53.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

16.53.126.40.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

40.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.134.221.88.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

146 B
106 B
2
1

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

81.171.91.138.in-addr.arpa

DNS Request

81.171.91.138.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

211da615bc1c5bda63e8ed3caecaf68b.exe

116 B
106 B
2
1

DNS Request

pastebin.com

DNS Request

pastebin.com

DNS Response

104.20.67.143

172.67.34.170

104.20.68.143
8.8.8.8:53

143.67.20.104.in-addr.arpa

dns

360 B
134 B
5
1

DNS Request

143.67.20.104.in-addr.arpa

DNS Request

143.67.20.104.in-addr.arpa

DNS Request

143.67.20.104.in-addr.arpa

DNS Request

143.67.20.104.in-addr.arpa

DNS Request

143.67.20.104.in-addr.arpa
8.8.8.8:53

cutit.org

dns

211da615bc1c5bda63e8ed3caecaf68b.exe

55 B
71 B
1
1

DNS Request

cutit.org

DNS Response

64.91.240.248
8.8.8.8:53

248.240.91.64.in-addr.arpa

dns

144 B
109 B
2
1

DNS Request

248.240.91.64.in-addr.arpa

DNS Request

248.240.91.64.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

32.169.19.2.in-addr.arpa

dns

140 B
133 B
2
1

DNS Request

32.169.19.2.in-addr.arpa

DNS Request

32.169.19.2.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

146.78.124.51.in-addr.arpa

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

193.179.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

193.179.17.96.in-addr.arpa
8.8.8.8:53

ww1.cutit.org

dns

211da615bc1c5bda63e8ed3caecaf68b.exe

177 B
104 B
3
1

DNS Request

ww1.cutit.org

DNS Request

ww1.cutit.org

DNS Request

ww1.cutit.org

DNS Response

64.190.63.136
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
173 B
2
1

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

88.156.103.20.in-addr.arpa

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

79.121.231.20.in-addr.arpa

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

136.63.190.64.in-addr.arpa

dns

144 B
312 B
2
2

DNS Request

136.63.190.64.in-addr.arpa

DNS Request

136.63.190.64.in-addr.arpa
8.8.8.8:53

9.134.221.88.in-addr.arpa

dns

142 B
270 B
2
2

DNS Request

9.134.221.88.in-addr.arpa

DNS Request

9.134.221.88.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

288 B
158 B
4
1

DNS Request

14.227.111.52.in-addr.arpa

DNS Request

14.227.111.52.in-addr.arpa

DNS Request

14.227.111.52.in-addr.arpa

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

100.5.17.2.in-addr.arpa

dns

138 B
131 B
2
1

DNS Request

100.5.17.2.in-addr.arpa

DNS Request

100.5.17.2.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

56.134.221.88.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

56.134.221.88.in-addr.arpa

DNS Request

56.134.221.88.in-addr.arpa
8.8.8.8:53

8.179.89.13.in-addr.arpa

dns

140 B
288 B
2
2

DNS Request

8.179.89.13.in-addr.arpa

DNS Request

8.179.89.13.in-addr.arpa
8.8.8.8:53

43.134.221.88.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

43.134.221.88.in-addr.arpa

DNS Request

43.134.221.88.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1216-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1216-4-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/1216-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4604-16-0x00000000018C0000-0x000000000193E000-memory.dmp

Filesize
504KB

Download
memory/4604-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4604-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4604-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download