socks5systemz | 9397e1a3bd7e94ae5213d8dc4edef5e73fe8c6f0306196a1ffae832a3976e9ac

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 04:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f4371e9fcc21652c9fb3867f64d4941.exe
Size

4.5MB
MD5

5f4371e9fcc21652c9fb3867f64d4941
SHA1

a19d69302a3993f2aca91d73bdc128e47b6ce174
SHA256

9397e1a3bd7e94ae5213d8dc4edef5e73fe8c6f0306196a1ffae832a3976e9ac
SHA512

3c736528fd01383b6fb37a30b306ccd0cfa6b2129cea650263d0a5488e1052c6348acac115ad394c7c70b647d42dc55f4811bd2321b11c3c4c6a37f9c8d21536
SSDEEP

98304:QDC5jNxoKkMBuu/KJmiuK3gqLkWSTGHVs49M4dm8:YCj6KPBuh8XUgqLXHLM4dD

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4848-154-0x0000000000880000-0x0000000000922000-memory.dmp	family_socks5systemz
behavioral2/memory/4848-148-0x0000000000880000-0x0000000000922000-memory.dmp	family_socks5systemz
behavioral2/memory/4848-161-0x0000000000880000-0x0000000000922000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp
2672	dvdreportviewer.exe
4848	dvdreportviewer.exe

Loads dropped DLL 3 IoCs

pid	Process
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1928	5f4371e9fcc21652c9fb3867f64d4941.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 1928	4312	5f4371e9fcc21652c9fb3867f64d4941.exe	89
PID 4312 wrote to memory of 1928	4312	5f4371e9fcc21652c9fb3867f64d4941.exe	89
PID 4312 wrote to memory of 1928	4312	5f4371e9fcc21652c9fb3867f64d4941.exe	89
PID 1928 wrote to memory of 1704	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	94
PID 1928 wrote to memory of 1704	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	94
PID 1928 wrote to memory of 1704	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	94
PID 1928 wrote to memory of 2672	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	92
PID 1928 wrote to memory of 2672	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	92
PID 1928 wrote to memory of 2672	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	92
PID 1704 wrote to memory of 3536	1704	net.exe	91
PID 1704 wrote to memory of 3536	1704	net.exe	91
PID 1704 wrote to memory of 3536	1704	net.exe	91
PID 1928 wrote to memory of 4848	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	95
PID 1928 wrote to memory of 4848	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	95
PID 1928 wrote to memory of 4848	1928	5f4371e9fcc21652c9fb3867f64d4941.tmp	95

C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe
"C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp" /SL5="$8022C,4446766,54272,C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe
    "C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 1103
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
- - C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe
    "C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1103
1⤵
PID:3536

Network

DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=29DDAB97474463B00EE2BF9446FF6290; domain=.bing.com; expires=Tue, 04-Feb-2025 04:46:11 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 405EAB6ABC994197BFCE6E857C159A64 Ref B: LON04EDGE0918 Ref C: 2024-01-11T04:46:11Z
date: Thu, 11 Jan 2024 04:46:11 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=29DDAB97474463B00EE2BF9446FF6290

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=fDxOAyMWZgCgbxoAVaLi86IPlgVXoAwR9nMZ1i0b_Jg; domain=.bing.com; expires=Tue, 04-Feb-2025 04:46:11 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AABF031B92634AC1B0166E48D6B3CFC9 Ref B: LON04EDGE0918 Ref C: 2024-01-11T04:46:11Z
date: Thu, 11 Jan 2024 04:46:11 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=29DDAB97474463B00EE2BF9446FF6290; MSPTC=fDxOAyMWZgCgbxoAVaLi86IPlgVXoAwR9nMZ1i0b_Jg

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1A15026658594F9492F52641B4F901AA Ref B: LON04EDGE0918 Ref C: 2024-01-11T04:46:11Z
date: Thu, 11 Jan 2024 04:46:11 GMT
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR
DNS

176.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.178.17.96.in-addr.arpa

IN PTR

Response

176.178.17.96.in-addr.arpa

IN PTR

a96-17-178-176deploystaticakamaitechnologiescom
DNS

211.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.135.221.88.in-addr.arpa

IN PTR

Response

211.135.221.88.in-addr.arpa

IN PTR

a88-221-135-211deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 467227
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4CDDF70198D84306A0B323813E54CC67 Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
date: Thu, 11 Jan 2024 04:47:46 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 506638
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A77DAAB585D64F1FA0D9EF2138D2CFA3 Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
date: Thu, 11 Jan 2024 04:47:46 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 490296
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E9C546D9984B4CF6A9126D14EF9DECFE Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
date: Thu, 11 Jan 2024 04:47:46 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 492518
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 67B24F01899F4080A11A9B429AB64A31 Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
date: Thu, 11 Jan 2024 04:47:46 GMT
DNS

bxtqibj.com

dvdreportviewer.exe

Remote address:

45.155.250.90:53

Request

bxtqibj.com

IN A

Response

bxtqibj.com

IN A

185.196.8.22
DNS

bxtqibj.com

dvdreportviewer.exe

Remote address:

45.155.250.90:53

Request

bxtqibj.com

IN A
DNS

bxtqibj.com

dvdreportviewer.exe

Remote address:

45.155.250.90:53

Request

bxtqibj.com

IN A
DNS

90.250.155.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.250.155.45.in-addr.arpa

IN PTR

Response
DNS

90.250.155.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.250.155.45.in-addr.arpa

IN PTR

Response
GET

http://bxtqibj.com/click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c

dvdreportviewer.exe

Remote address:

185.196.8.22:80

Request

GET /click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c HTTP/1.1
Host: bxtqibj.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Response

HTTP/1.1 200 OK

Server: nginx/1.20.1
Date: Thu, 11 Jan 2024 04:48:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
DNS

22.8.196.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.8.196.185.in-addr.arpa

IN PTR

Response
DNS

22.8.196.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.8.196.185.in-addr.arpa

IN PTR
DNS

22.8.196.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.8.196.185.in-addr.arpa

IN PTR
DNS

14.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.173.189.20.in-addr.arpa

IN PTR

Response
DNS

14.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.173.189.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

HTTP Response

204
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.209:80

92 B
40 B
2
1
96.17.178.209:80

184 B
4.9kB
4
5
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
20.223.36.55:443
88.221.134.32:80
93.184.221.240:80
93.184.221.240:80
96.17.178.176:80
88.221.134.32:80
88.221.134.32:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
93.184.221.240:80
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.3kB
17
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.3kB
17
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4

tls, http2

72.3kB
2.0MB
1500
1496

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
185.196.8.22:80

http://bxtqibj.com/click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c

http

dvdreportviewer.exe

535 B
352 B
5
3

HTTP Request

GET http://bxtqibj.com/click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c

HTTP Response

200

8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

56.126.166.20.in-addr.arpa

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

176.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

176.178.17.96.in-addr.arpa
8.8.8.8:53

211.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

211.135.221.88.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

43.229.111.52.in-addr.arpa

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
45.155.250.90:53

bxtqibj.com

dns

dvdreportviewer.exe

171 B
84 B
3
1

DNS Request

bxtqibj.com

DNS Request

bxtqibj.com

DNS Request

bxtqibj.com

DNS Response

185.196.8.22
8.8.8.8:53

90.250.155.45.in-addr.arpa

dns

144 B
270 B
2
2

DNS Request

90.250.155.45.in-addr.arpa

DNS Request

90.250.155.45.in-addr.arpa
8.8.8.8:53

22.8.196.185.in-addr.arpa

dns

213 B
148 B
3
1

DNS Request

22.8.196.185.in-addr.arpa

DNS Request

22.8.196.185.in-addr.arpa

DNS Request

22.8.196.185.in-addr.arpa
8.8.8.8:53

14.173.189.20.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

14.173.189.20.in-addr.arpa

DNS Request

14.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe

Filesize
1024KB

MD5
6dd32bf998ded90dbb75fd9adc21e861

SHA1
d9ee6ca1688fe0e563ddc6a945798d8a04c50f77

SHA256
bb95d78447bb10869a3cad272392b42ea83b7d78d903fe00d81c0ac9ae2e2fb6

SHA512
c12a76f26301111503e78ce2c9daf80d66cbf8e61905200bc0b0b29905028bfd6111e2c16c69fff3762096ba752a317ca30603eb05e2c0b3ebb10650de5c8951

Download Submit
C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe

Filesize
832KB

MD5
7b5c1a7d9fc6b0fef2be24cc0990f8b1

SHA1
45932467c4ec8617d41a86d76e5d7d931f96ccea

SHA256
059bd0590b1b6e0497d342c2f64a0f0348e492a5cf7e02190301ab0bbbe94cce

SHA512
38c6baf40629beb564943ce680dd5d2136d5352b3d65fd6aff823b235ca28cfc851ee092ea378cf019c631efc276f1feb4ae4278efc71d1392af79a6b7af26b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OLND5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OLND5.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp

Filesize
111KB

MD5
809465a767988f3342e7028154fb1589

SHA1
85abaa8c4e80931562dc9b93f2c63b05e9c76970

SHA256
3c57cdd6f778e883f220be4483a9971970c9e7a3519bb7fdad219d8669e4fc2b

SHA512
51cb9c7d83c9ea18a02da6178ca3fc3e738985289b700e5d3677d307c378bc7638ad5b87df382503fede706e892dfa3d70a62751003d082e1c278c6c5a5195d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
memory/1928-134-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1928-132-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1928-13-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2672-121-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2672-125-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2672-126-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2672-122-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4312-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4312-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4312-131-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4848-133-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-153-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-128-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-137-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-138-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-141-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-144-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-147-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-154-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/4848-130-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-148-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/4848-157-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-160-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-161-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/4848-164-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-167-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-170-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-173-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-177-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4848-180-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.