83b8a52adde102c118a5c8a47fc9e83155601e0ab423b1887fa68a5e34cce1e6

Analysis

max time kernel
139s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 15:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Пак/Специальн. твики/Network_Tweaks.bat
Size

3KB
MD5

257c9ccd5fa59498dbfcf75b07f30a73
SHA1

cd333e7847a91200d7281bc6d14f864908b1acfd
SHA256

d0a0f15415723601124794ccf93271fb5fac14b7c00c160dbddb7794968e802f
SHA512

26ebdc68c18a3006972030e32b05b69a9d949e10a312833818749aa109065f359a5eb5346d8ffe6c99dc3fc98f55aa7d384247d3e9fd3166605bbe901e4033f7

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
708	powershell.exe
708	powershell.exe
2720	powershell.exe
2720	powershell.exe
4352	powershell.exe
4352	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	powershell.exe
Token: SeIncreaseQuotaPrivilege	708	powershell.exe
Token: SeSecurityPrivilege	708	powershell.exe
Token: SeTakeOwnershipPrivilege	708	powershell.exe
Token: SeLoadDriverPrivilege	708	powershell.exe
Token: SeSystemProfilePrivilege	708	powershell.exe
Token: SeSystemtimePrivilege	708	powershell.exe
Token: SeProfSingleProcessPrivilege	708	powershell.exe
Token: SeIncBasePriorityPrivilege	708	powershell.exe
Token: SeCreatePagefilePrivilege	708	powershell.exe
Token: SeBackupPrivilege	708	powershell.exe
Token: SeRestorePrivilege	708	powershell.exe
Token: SeShutdownPrivilege	708	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeSystemEnvironmentPrivilege	708	powershell.exe
Token: SeRemoteShutdownPrivilege	708	powershell.exe
Token: SeUndockPrivilege	708	powershell.exe
Token: SeManageVolumePrivilege	708	powershell.exe
Token: 33	708	powershell.exe
Token: 34	708	powershell.exe
Token: 35	708	powershell.exe
Token: 36	708	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeIncreaseQuotaPrivilege	2720	powershell.exe
Token: SeSecurityPrivilege	2720	powershell.exe
Token: SeTakeOwnershipPrivilege	2720	powershell.exe
Token: SeLoadDriverPrivilege	2720	powershell.exe
Token: SeSystemProfilePrivilege	2720	powershell.exe
Token: SeSystemtimePrivilege	2720	powershell.exe
Token: SeProfSingleProcessPrivilege	2720	powershell.exe
Token: SeIncBasePriorityPrivilege	2720	powershell.exe
Token: SeCreatePagefilePrivilege	2720	powershell.exe
Token: SeBackupPrivilege	2720	powershell.exe
Token: SeRestorePrivilege	2720	powershell.exe
Token: SeShutdownPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeSystemEnvironmentPrivilege	2720	powershell.exe
Token: SeRemoteShutdownPrivilege	2720	powershell.exe
Token: SeUndockPrivilege	2720	powershell.exe
Token: SeManageVolumePrivilege	2720	powershell.exe
Token: 33	2720	powershell.exe
Token: 34	2720	powershell.exe
Token: 35	2720	powershell.exe
Token: 36	2720	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeIncreaseQuotaPrivilege	4352	powershell.exe
Token: SeSecurityPrivilege	4352	powershell.exe
Token: SeTakeOwnershipPrivilege	4352	powershell.exe
Token: SeLoadDriverPrivilege	4352	powershell.exe
Token: SeSystemProfilePrivilege	4352	powershell.exe
Token: SeSystemtimePrivilege	4352	powershell.exe
Token: SeProfSingleProcessPrivilege	4352	powershell.exe
Token: SeIncBasePriorityPrivilege	4352	powershell.exe
Token: SeCreatePagefilePrivilege	4352	powershell.exe
Token: SeBackupPrivilege	4352	powershell.exe
Token: SeRestorePrivilege	4352	powershell.exe
Token: SeShutdownPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeSystemEnvironmentPrivilege	4352	powershell.exe
Token: SeRemoteShutdownPrivilege	4352	powershell.exe
Token: SeUndockPrivilege	4352	powershell.exe
Token: SeManageVolumePrivilege	4352	powershell.exe
Token: 33	4352	powershell.exe
Token: 34	4352	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4960	4944	cmd.exe	92
PID 4944 wrote to memory of 4960	4944	cmd.exe	92
PID 4944 wrote to memory of 2824	4944	cmd.exe	97
PID 4944 wrote to memory of 2824	4944	cmd.exe	97
PID 4944 wrote to memory of 4820	4944	cmd.exe	98
PID 4944 wrote to memory of 4820	4944	cmd.exe	98
PID 4944 wrote to memory of 5112	4944	cmd.exe	99
PID 4944 wrote to memory of 5112	4944	cmd.exe	99
PID 4944 wrote to memory of 4460	4944	cmd.exe	100
PID 4944 wrote to memory of 4460	4944	cmd.exe	100
PID 4944 wrote to memory of 1164	4944	cmd.exe	101
PID 4944 wrote to memory of 1164	4944	cmd.exe	101
PID 4944 wrote to memory of 4184	4944	cmd.exe	102
PID 4944 wrote to memory of 4184	4944	cmd.exe	102
PID 4944 wrote to memory of 3972	4944	cmd.exe	103
PID 4944 wrote to memory of 3972	4944	cmd.exe	103
PID 4944 wrote to memory of 3380	4944	cmd.exe	104
PID 4944 wrote to memory of 3380	4944	cmd.exe	104
PID 4944 wrote to memory of 832	4944	cmd.exe	105
PID 4944 wrote to memory of 832	4944	cmd.exe	105
PID 4944 wrote to memory of 4692	4944	cmd.exe	106
PID 4944 wrote to memory of 4692	4944	cmd.exe	106
PID 4944 wrote to memory of 3264	4944	cmd.exe	107
PID 4944 wrote to memory of 3264	4944	cmd.exe	107
PID 4944 wrote to memory of 3812	4944	cmd.exe	108
PID 4944 wrote to memory of 3812	4944	cmd.exe	108
PID 4944 wrote to memory of 3996	4944	cmd.exe	109
PID 4944 wrote to memory of 3996	4944	cmd.exe	109
PID 4944 wrote to memory of 708	4944	cmd.exe	110
PID 4944 wrote to memory of 708	4944	cmd.exe	110
PID 4944 wrote to memory of 2720	4944	cmd.exe	112
PID 4944 wrote to memory of 2720	4944	cmd.exe	112
PID 4944 wrote to memory of 4352	4944	cmd.exe	114
PID 4944 wrote to memory of 4352	4944	cmd.exe	114
PID 4944 wrote to memory of 3280	4944	cmd.exe	115
PID 4944 wrote to memory of 3280	4944	cmd.exe	115
PID 4944 wrote to memory of 4372	4944	cmd.exe	116
PID 4944 wrote to memory of 4372	4944	cmd.exe	116
PID 4944 wrote to memory of 3136	4944	cmd.exe	117
PID 4944 wrote to memory of 3136	4944	cmd.exe	117
PID 4944 wrote to memory of 5012	4944	cmd.exe	119
PID 4944 wrote to memory of 5012	4944	cmd.exe	119
PID 4944 wrote to memory of 4200	4944	cmd.exe	118
PID 4944 wrote to memory of 4200	4944	cmd.exe	118
PID 4944 wrote to memory of 1764	4944	cmd.exe	122
PID 4944 wrote to memory of 1764	4944	cmd.exe	122
PID 4944 wrote to memory of 4876	4944	cmd.exe	120
PID 4944 wrote to memory of 4876	4944	cmd.exe	120
PID 4944 wrote to memory of 1204	4944	cmd.exe	121
PID 4944 wrote to memory of 1204	4944	cmd.exe	121
PID 4944 wrote to memory of 2344	4944	cmd.exe	124
PID 4944 wrote to memory of 2344	4944	cmd.exe	124
PID 4944 wrote to memory of 4112	4944	cmd.exe	123
PID 4944 wrote to memory of 4112	4944	cmd.exe	123
PID 4944 wrote to memory of 2000	4944	cmd.exe	125
PID 4944 wrote to memory of 2000	4944	cmd.exe	125
PID 4944 wrote to memory of 1516	4944	cmd.exe	126
PID 4944 wrote to memory of 1516	4944	cmd.exe	126
PID 4944 wrote to memory of 3348	4944	cmd.exe	127
PID 4944 wrote to memory of 3348	4944	cmd.exe	127
PID 4944 wrote to memory of 1164	4944	cmd.exe	128
PID 4944 wrote to memory of 1164	4944	cmd.exe	128
PID 4944 wrote to memory of 3788	4944	cmd.exe	130
PID 4944 wrote to memory of 3788	4944	cmd.exe	130

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Пак\Специальн. твики\Network_Tweaks.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=disabled
  2⤵
  PID:4960
- C:\Windows\system32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  PID:2824
- C:\Windows\system32\netsh.exe
  netsh int tcp set global dca=enabled
  2⤵
  PID:4820
- C:\Windows\system32\netsh.exe
  netsh int tcp set global netdma=enabled
  2⤵
  PID:5112
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rsc=disabled
  2⤵
  PID:4460
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rss=enabled
  2⤵
  PID:1164
- C:\Windows\system32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  PID:4184
- C:\Windows\system32\netsh.exe
  netsh int tcp set global initialRto=2000
  2⤵
  PID:3972
- C:\Windows\system32\netsh.exe
  netsh int tcp set global nonsackrttresiliency=disabled
  2⤵
  PID:3380
- C:\Windows\system32\netsh.exe
  netsh int tcp set global maxsynretransmissions=2
  2⤵
  PID:832
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disabled
  2⤵
  PID:4692
- C:\Windows\system32\netsh.exe
  netsh int tcp set security profiles=disabled
  2⤵
  PID:3264
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  PID:3812
- C:\Windows\system32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetTCPSetting -SettingName InternetCustom -MinRto 300"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetTCPSetting -SettingName InternetCustom -InitialCongestionWindow 10"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetOffloadGlobalSetting -Chimney Disabled"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f
  2⤵
  PID:3280
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "1" /f
  2⤵
  PID:4372
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f
  2⤵
  PID:3136
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f
  2⤵
  PID:4200
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "UseDelayedAcceptance" /t REG_DWORD /d "0" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MaxSockAddrLength" /t REG_DWORD /d "16" /f
  2⤵
  PID:1204
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "30" /f
  2⤵
  PID:1764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
  2⤵
  PID:4112
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MinSockAddrLength" /t REG_DWORD /d "16" /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
  2⤵
  PID:3348
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:3116
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3648
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:1344
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DoNotHoldNicBuffers" /t REG_DWORD /d "1" /f
  2⤵
  PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:3580
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:2620
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:5052
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:1684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:4496
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:1512

Network

DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR

Response

210.178.17.96.in-addr.arpa

IN PTR

a96-17-178-210deploystaticakamaitechnologiescom
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

178.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.178.17.96.in-addr.arpa

IN PTR

Response

178.178.17.96.in-addr.arpa

IN PTR

a96-17-178-178deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301297_1J2ZW9N7YCUNF9AOR&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301297_1J2ZW9N7YCUNF9AOR&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 179601
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BEABFABC4EFB4655A1B9BD675A27E5D2 Ref B: LON04EDGE1205 Ref C: 2023-12-26T15:50:42Z
date: Tue, 26 Dec 2023 15:50:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301548_1L6E4C2XNVN578CJ7&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301548_1L6E4C2XNVN578CJ7&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 405005
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4752C3788442487A987E7B9C61B10075 Ref B: LON04EDGE1205 Ref C: 2023-12-26T15:50:42Z
date: Tue, 26 Dec 2023 15:50:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301115_1WV4BO8Q0W9O23TET&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301115_1WV4BO8Q0W9O23TET&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 350944
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B312CB23A2A4403DA5336CFF78348AF0 Ref B: LON04EDGE1205 Ref C: 2023-12-26T15:50:42Z
date: Tue, 26 Dec 2023 15:50:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301485_1NTN1BXS5D45I6YE3&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301485_1NTN1BXS5D45I6YE3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 253374
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DBA3D45EDCE549AF9F99889B3D219C17 Ref B: LON04EDGE1205 Ref C: 2023-12-26T15:50:42Z
date: Tue, 26 Dec 2023 15:50:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301052_13ZNLYXSXUG0LCF49&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301052_13ZNLYXSXUG0LCF49&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 349842
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 83A2F63060DF42B7A8B056180ED3DD04 Ref B: LON04EDGE1205 Ref C: 2023-12-26T15:50:42Z
date: Tue, 26 Dec 2023 15:50:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301706_17S9L09M7RSRY2I32&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301706_17S9L09M7RSRY2I32&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 336071
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5505704D92EC4221AA1BBF9433B4B8BC Ref B: LON04EDGE1205 Ref C: 2023-12-26T15:50:57Z
date: Tue, 26 Dec 2023 15:50:57 GMT
DNS

191.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.178.17.96.in-addr.arpa

IN PTR

Response

191.178.17.96.in-addr.arpa

IN PTR

a96-17-178-191deploystaticakamaitechnologiescom
DNS

191.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.178.17.96.in-addr.arpa

IN PTR
DNS

191.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.178.17.96.in-addr.arpa

IN PTR
DNS

191.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.178.17.96.in-addr.arpa

IN PTR
DNS

122.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.10.44.20.in-addr.arpa

IN PTR

Response
DNS

122.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.10.44.20.in-addr.arpa

IN PTR
DNS

122.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.10.44.20.in-addr.arpa

IN PTR
DNS

122.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.10.44.20.in-addr.arpa

IN PTR

96.16.110.114:80

276 B
6
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
9.6kB
15
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
9.6kB
15
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301706_17S9L09M7RSRY2I32&pid=21.2&w=1080&h=1920&c=4

tls, http2

69.0kB
2.0MB
1437
1433

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301297_1J2ZW9N7YCUNF9AOR&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301548_1L6E4C2XNVN578CJ7&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301115_1WV4BO8Q0W9O23TET&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301485_1NTN1BXS5D45I6YE3&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301052_13ZNLYXSXUG0LCF49&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301706_17S9L09M7RSRY2I32&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.6kB
17
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.7kB
8.3kB
18
15

8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

210.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

210.178.17.96.in-addr.arpa

DNS Request

210.178.17.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

178.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

178.178.17.96.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

26.35.223.20.in-addr.arpa

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

191.178.17.96.in-addr.arpa

dns

288 B
137 B
4
1

DNS Request

191.178.17.96.in-addr.arpa

DNS Request

191.178.17.96.in-addr.arpa

DNS Request

191.178.17.96.in-addr.arpa

DNS Request

191.178.17.96.in-addr.arpa
8.8.8.8:53

122.10.44.20.in-addr.arpa

dns

284 B
145 B
4
1

DNS Request

122.10.44.20.in-addr.arpa

DNS Request

122.10.44.20.in-addr.arpa

DNS Request

122.10.44.20.in-addr.arpa

DNS Request

122.10.44.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6103fe5d5027cab041f301df51eac4c4

SHA1
c657565a144127c840a918019386d0215fd8c344

SHA256
417c4cb2b29babf944e6c41ea1b362908782127c5894ef0fe3372abc855fbfd3

SHA512
6a2ec9fb27a748a8de37064cca4464dbe2758b0711e6622c8ff6f2dccd8b332d933abc8014dfe22e0a86659211fc7c394d9ccbf965d1f253e4cf59ebb290d9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ff6ca6c8af16c7c43be05954f5fe433

SHA1
86fee6a5ce41340f80d9ee7106f79b40c4a8fba4

SHA256
b09faf9f77172902efb437763be280eeb1e461f3e484de4cafa43acb5aced7cb

SHA512
6737e7e23b65ab1b4a6760882c12fccb18b4596402a8bfb428790e42cba4062e57a661b7111aae493ed2509deca57c06d16ee4643c4cd4195786786bda898e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a8c7052d0ceb101afa3a8164ecfb3c6

SHA1
1e5a09e16e6d45401910dd4afb09edfed0233469

SHA256
eea7d90996add012a77d3f99b6fc59faed70e59f9bd3bb70c3342000bd802085

SHA512
c749a048e3dfbc52bb57c65a3eeb25831d3e6c5f7c2027afb71008cf8acdaaf3af2720d34469f0ea7d977408eee0139b0734ac5ea399a35bca3896c2a0e87dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0cvcpkq.0uv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/708-9-0x000001E5ED920000-0x000001E5ED942000-memory.dmp

Filesize
136KB

Download
memory/708-10-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/708-11-0x000001E5D3050000-0x000001E5D3060000-memory.dmp

Filesize
64KB

Download
memory/708-12-0x000001E5D3050000-0x000001E5D3060000-memory.dmp

Filesize
64KB

Download
memory/708-13-0x000001E5D3050000-0x000001E5D3060000-memory.dmp

Filesize
64KB

Download
memory/708-16-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/2720-18-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/2720-19-0x0000027F6A3D0000-0x0000027F6A3E0000-memory.dmp

Filesize
64KB

Download
memory/2720-31-0x0000027F6A3D0000-0x0000027F6A3E0000-memory.dmp

Filesize
64KB

Download
memory/2720-33-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/2720-20-0x0000027F6A3D0000-0x0000027F6A3E0000-memory.dmp

Filesize
64KB

Download
memory/4352-43-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/4352-45-0x000001C477920000-0x000001C477930000-memory.dmp

Filesize
64KB

Download
memory/4352-46-0x000001C477920000-0x000001C477930000-memory.dmp

Filesize
64KB

Download
memory/4352-48-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.