224cd902e333e3af20f0ba00b85f6c46208f280f7234b0c21a9d0971f2f6f2fb

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 09:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6463c8ff6b93608c2c69607f61bb7f25.exe
Size

74KB
MD5

6463c8ff6b93608c2c69607f61bb7f25
SHA1

ecf4f76f5e8d8e884589551d816277767cb106e6
SHA256

224cd902e333e3af20f0ba00b85f6c46208f280f7234b0c21a9d0971f2f6f2fb
SHA512

f3a4f1b0272bba7b1a1c62ec5afb4ad1bd2a0781c7f312bb9c2202531368bb81b58b3fc30b23e96a29232faf39ad42a9ffbb6e8f6fee49ee94194c9fac6639db
SSDEEP

1536:5oLDYsacy7mHMowHjXJuF5sdiLZVgHrmyvgHiHzb7ZXdlih5:5oPyys5jXJuF5ZLZWHrmyvQ5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 15 IoCs

pid	Process
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe
2468	6463c8ff6b93608c2c69607f61bb7f25.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	6463c8ff6b93608c2c69607f61bb7f25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 4564	2468	6463c8ff6b93608c2c69607f61bb7f25.exe	92
PID 2468 wrote to memory of 4564	2468	6463c8ff6b93608c2c69607f61bb7f25.exe	92
PID 2468 wrote to memory of 4564	2468	6463c8ff6b93608c2c69607f61bb7f25.exe	92

C:\Users\Admin\AppData\Local\Temp\6463c8ff6b93608c2c69607f61bb7f25.exe
"C:\Users\Admin\AppData\Local\Temp\6463c8ff6b93608c2c69607f61bb7f25.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\Temp\O1g8x0hNmuP8rEYuJjIAq1g8x0hNmuP8rEYuJjIAq\310714_is.jse
  2⤵
  PID:4564

Network

DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

148.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

148.177.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

16.234.44.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.234.44.23.in-addr.arpa

IN PTR

Response

16.234.44.23.in-addr.arpa

IN PTR

a23-44-234-16deploystaticakamaitechnologiescom
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

4threquest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

4threquest.me

IN A

Response
DNS

www.4threquest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

www.4threquest.me

IN A

Response
DNS

www.4threquest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

www.4threquest.me

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2AD75555985465EA1C0D46A199B46435; domain=.bing.com; expires=Mon, 20-Jan-2025 16:30:34 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 28918891014645F68A6E2D1DC5D1C9B2 Ref B: LON04EDGE1119 Ref C: 2023-12-27T16:30:34Z
date: Wed, 27 Dec 2023 16:30:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2AD75555985465EA1C0D46A199B46435

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=22VS-CrJL1FpIauJIVvP0alRXI6Lm6QxICXtPpFm7TA; domain=.bing.com; expires=Mon, 20-Jan-2025 16:30:36 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0E70A2E34BE542E9990F8D8ED7AA59F9 Ref B: LON04EDGE1119 Ref C: 2023-12-27T16:30:36Z
date: Wed, 27 Dec 2023 16:30:35 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2AD75555985465EA1C0D46A199B46435; MSPTC=22VS-CrJL1FpIauJIVvP0alRXI6Lm6QxICXtPpFm7TA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AB1777162B944E11ABDDE579A86DD500 Ref B: LON04EDGE1119 Ref C: 2023-12-27T16:30:36Z
date: Wed, 27 Dec 2023 16:30:35 GMT
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

195.233.44.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.233.44.23.in-addr.arpa

IN PTR

Response

195.233.44.23.in-addr.arpa

IN PTR

a23-44-233-195deploystaticakamaitechnologiescom
DNS

195.233.44.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.233.44.23.in-addr.arpa

IN PTR
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR
DNS

4threquest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

4threquest.me

IN A

Response
DNS

4threquest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

4threquest.me

IN A
DNS

www.4threquest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

www.4threquest.me

IN A

Response
DNS

www.4threquest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

www.4threquest.me

IN A
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 275287
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1D48FC114DF3414CA3A14825500347C4 Ref B: LON04EDGE1115 Ref C: 2023-12-27T16:30:40Z
date: Wed, 27 Dec 2023 16:30:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301243_1NFMASG3SLY79TVLK&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301243_1NFMASG3SLY79TVLK&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 582460
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 61E4DEBDFF74448089E3994071CADB54 Ref B: LON04EDGE1115 Ref C: 2023-12-27T16:30:40Z
date: Wed, 27 Dec 2023 16:30:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301652_1R39G8DVE3D1IPAHO&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301652_1R39G8DVE3D1IPAHO&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 359617
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1BD2382984A54F53AC3EFA077BA26D90 Ref B: LON04EDGE1115 Ref C: 2023-12-27T16:30:40Z
date: Wed, 27 Dec 2023 16:30:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301313_1BP2EQ0OTWFHQ8SRZ&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301313_1BP2EQ0OTWFHQ8SRZ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 411543
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 42B6E325BB654D868A4210AF88E3CDE6 Ref B: LON04EDGE1115 Ref C: 2023-12-27T16:30:40Z
date: Wed, 27 Dec 2023 16:30:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 541836
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DE2600DD66384B64A0E8BDC23BCE6A0E Ref B: LON04EDGE1115 Ref C: 2023-12-27T16:30:40Z
date: Wed, 27 Dec 2023 16:30:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 366277
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D0057E2830D0409FB7C3D6B8C2543180 Ref B: LON04EDGE1115 Ref C: 2023-12-27T16:31:24Z
date: Wed, 27 Dec 2023 16:31:24 GMT
DNS

goo.gl

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

goo.gl

IN A

Response

goo.gl

IN A

172.217.16.238
GET

http://goo.gl/bEWr8d

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

172.217.16.238:80

Request

GET /bEWr8d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: goo.gl
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 27 Dec 2023 16:30:40 GMT
Location: https://goo.gl/bEWr8d
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
GET

https://goo.gl/bEWr8d

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

172.217.16.238:443

Request

GET /bEWr8d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: goo.gl

Response

HTTP/1.1 302 Found

Content-Type: application/binary
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 27 Dec 2023 16:30:41 GMT
Location: http://2ndrequest.me/registro/140615f8.php
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DurableDeepLinkUi/cspreport
Content-Security-Policy: script-src 'nonce-YIH0MkatGAMNCd-jhnUGrg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DurableDeepLinkUi/cspreport;worker-src 'self'
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Resource-Policy: same-site
Cross-Origin-Opener-Policy: unsafe-none
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

2ndrequest.me

6463c8ff6b93608c2c69607f61bb7f25.exe

Remote address:

8.8.8.8:53

Request

2ndrequest.me

IN A

Response
DNS

238.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f14�I
DNS

3.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.200.250.142.in-addr.arpa

IN PTR

Response

3.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f31e100net
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

89.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.16.208.104.in-addr.arpa

IN PTR

Response
DNS

89.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.16.208.104.in-addr.arpa

IN PTR

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid=

tls, http2

2.4kB
9.5kB
24
20

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=58d046c2452444b8b69ff4dcb52f70f1&localId=w:E69C44C8-74AB-2316-FAE1-5827350BD28A&deviceId=6896190259398603&anid=

HTTP Response

204
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4

tls, http2

94.6kB
2.7MB
1984
1971

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301243_1NFMASG3SLY79TVLK&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301652_1R39G8DVE3D1IPAHO&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301313_1BP2EQ0OTWFHQ8SRZ&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301722_1F4YKJYAF8ND8YNWI&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.6kB
8.2kB
16
11
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.5kB
8.3kB
17
12
172.217.16.238:80

http://goo.gl/bEWr8d

http

6463c8ff6b93608c2c69607f61bb7f25.exe

617 B
546 B
7
4

HTTP Request

GET http://goo.gl/bEWr8d

HTTP Response

301
172.217.16.238:443

https://goo.gl/bEWr8d

tls, http

6463c8ff6b93608c2c69607f61bb7f25.exe

1.5kB
8.8kB
16
11

HTTP Request

GET https://goo.gl/bEWr8d

HTTP Response

302
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.3kB
17
14

8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

148.177.190.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

148.177.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

16.234.44.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

16.234.44.23.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

4threquest.me

dns

6463c8ff6b93608c2c69607f61bb7f25.exe

59 B
125 B
1
1

DNS Request

4threquest.me
8.8.8.8:53

www.4threquest.me

dns

6463c8ff6b93608c2c69607f61bb7f25.exe

126 B
129 B
2
1

DNS Request

www.4threquest.me

DNS Request

www.4threquest.me
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

195.233.44.23.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

195.233.44.23.in-addr.arpa

DNS Request

195.233.44.23.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

355 B
145 B
5
1

DNS Request

206.23.85.13.in-addr.arpa

DNS Request

206.23.85.13.in-addr.arpa

DNS Request

206.23.85.13.in-addr.arpa

DNS Request

206.23.85.13.in-addr.arpa

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

4threquest.me

dns

6463c8ff6b93608c2c69607f61bb7f25.exe

118 B
125 B
2
1

DNS Request

4threquest.me

DNS Request

4threquest.me
8.8.8.8:53

www.4threquest.me

dns

6463c8ff6b93608c2c69607f61bb7f25.exe

126 B
129 B
2
1

DNS Request

www.4threquest.me

DNS Request

www.4threquest.me
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

goo.gl

dns

6463c8ff6b93608c2c69607f61bb7f25.exe

52 B
68 B
1
1

DNS Request

goo.gl

DNS Response

172.217.16.238
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

2ndrequest.me

dns

6463c8ff6b93608c2c69607f61bb7f25.exe

59 B
125 B
1
1

DNS Request

2ndrequest.me
8.8.8.8:53

238.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

238.16.217.172.in-addr.arpa
8.8.8.8:53

3.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.200.250.142.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

89.16.208.104.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

89.16.208.104.in-addr.arpa

DNS Request

89.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nszF5FB.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszF5FB.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszF5FB.tmp\nsWeb.dll

Filesize
8KB

MD5
84bcf3c71e70d5a6e9dc07d70466bdc3

SHA1
31603a1afc2d767a3392d363ff61533beaa25359

SHA256
7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf

SHA512
61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszF5FB.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.