04082b328e22f00b2d15aaac46a69dc211d49816e1641be0c3a803c1d0443b35

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 20:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PHOTO-DEVOCHKA.exe
Size

180KB
MD5

63f222fa3dec54c99fa71bfbef798cab
SHA1

a6aa7dca45be30f5f1f0a2c0cf24c15637fe33f4
SHA256

47bfc569cb27c9596d81d144a9af37d5f378dcdaf73d6c416b86362739354b8f
SHA512

75c8086cd6dce1433e426f8f65d893130847b0ded224a4c6f26ebc6ee1ef9a33299da4f8902067697717b3cd8e4a855018929fb8d562c9581e79d023ae46e2df
SSDEEP

3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0h+tzYOuIPA:1bXE9OiTGfhEClq9dYpII

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	5332	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	PHOTO-DEVOCHKA.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs	PHOTO-DEVOCHKA.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs	PHOTO-DEVOCHKA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	PHOTO-DEVOCHKA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 388	3472	PHOTO-DEVOCHKA.exe	91
PID 3472 wrote to memory of 388	3472	PHOTO-DEVOCHKA.exe	91
PID 3472 wrote to memory of 388	3472	PHOTO-DEVOCHKA.exe	91
PID 3472 wrote to memory of 3088	3472	PHOTO-DEVOCHKA.exe	93
PID 3472 wrote to memory of 3088	3472	PHOTO-DEVOCHKA.exe	93
PID 3472 wrote to memory of 3088	3472	PHOTO-DEVOCHKA.exe	93
PID 3472 wrote to memory of 5332	3472	PHOTO-DEVOCHKA.exe	94
PID 3472 wrote to memory of 5332	3472	PHOTO-DEVOCHKA.exe	94
PID 3472 wrote to memory of 5332	3472	PHOTO-DEVOCHKA.exe	94

C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-DEVOCHKA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:5332

Network

DNS

19.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.53.126.40.in-addr.arpa

IN PTR

Response
DNS

19.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.53.126.40.in-addr.arpa

IN PTR
DNS

19.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.53.126.40.in-addr.arpa

IN PTR
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR

Response

210.178.17.96.in-addr.arpa

IN PTR

a96-17-178-210deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0774DE5A9C226CD4209ECA149D056D99; domain=.bing.com; expires=Sun, 20-Apr-2025 20:47:41 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EE9431C44AD24E45923CEC7DD2092066 Ref B: LON04EDGE0710 Ref C: 2024-03-26T20:47:41Z
date: Tue, 26 Mar 2024 20:47:40 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0774DE5A9C226CD4209ECA149D056D99

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=zCUwX-iJEzNi_rrEYYK-UMEoxTMiSb3ciKXyl_VH7EA; domain=.bing.com; expires=Sun, 20-Apr-2025 20:47:41 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9711F8E958E24B5DA48539DE218E65EC Ref B: LON04EDGE0710 Ref C: 2024-03-26T20:47:41Z
date: Tue, 26 Mar 2024 20:47:40 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0774DE5A9C226CD4209ECA149D056D99; MSPTC=zCUwX-iJEzNi_rrEYYK-UMEoxTMiSb3ciKXyl_VH7EA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AF98AAA5600A45FFACE99D71D529E82E Ref B: LON04EDGE0710 Ref C: 2024-03-26T20:47:41Z
date: Tue, 26 Mar 2024 20:47:40 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

6.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.181.190.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR
DNS

183.1.37.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.1.37.23.in-addr.arpa

IN PTR

Response

183.1.37.23.in-addr.arpa

IN PTR

a23-37-1-183deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

134.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.71.91.104.in-addr.arpa

IN PTR

Response

134.71.91.104.in-addr.arpa

IN PTR

a104-91-71-134deploystaticakamaitechnologiescom
DNS

202.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.178.17.96.in-addr.arpa

IN PTR

Response

202.178.17.96.in-addr.arpa

IN PTR

a96-17-178-202deploystaticakamaitechnologiescom
DNS

141.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.178.17.96.in-addr.arpa

IN PTR

Response

141.178.17.96.in-addr.arpa

IN PTR

a96-17-178-141deploystaticakamaitechnologiescom
DNS

178.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.178.17.96.in-addr.arpa

IN PTR

Response

178.178.17.96.in-addr.arpa

IN PTR

a96-17-178-178deploystaticakamaitechnologiescom
DNS

196.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.178.17.96.in-addr.arpa

IN PTR

Response

196.178.17.96.in-addr.arpa

IN PTR

a96-17-178-196deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR
DNS

174.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.178.17.96.in-addr.arpa

IN PTR

Response

174.178.17.96.in-addr.arpa

IN PTR

a96-17-178-174deploystaticakamaitechnologiescom
DNS

174.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.178.17.96.in-addr.arpa

IN PTR
DNS

44.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.56.20.217.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300951_1DEESSRWOJQZD4FVQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300951_1DEESSRWOJQZD4FVQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 545378
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8421C877FD9C48E095CAD7C06760346D Ref B: LON04EDGE1005 Ref C: 2024-03-26T20:49:21Z
date: Tue, 26 Mar 2024 20:49:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301384_1HQXQBTAMSF7ILYA2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301384_1HQXQBTAMSF7ILYA2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 525311
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CB89D82393F24D0F9ECC00EF4CF59B98 Ref B: LON04EDGE1005 Ref C: 2024-03-26T20:49:21Z
date: Tue, 26 Mar 2024 20:49:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 603665
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6CA2BE05CCF542A1B6C7117D31CC7A7A Ref B: LON04EDGE1005 Ref C: 2024-03-26T20:49:21Z
date: Tue, 26 Mar 2024 20:49:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 692229
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 70FE982FA41C43689D038306AB8E2B19 Ref B: LON04EDGE1005 Ref C: 2024-03-26T20:49:21Z
date: Tue, 26 Mar 2024 20:49:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388204_1E5U0MVX24NIBYXOO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388204_1E5U0MVX24NIBYXOO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 592830
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 88F11E8311E941B5A2101C320FF506C2 Ref B: LON04EDGE1005 Ref C: 2024-03-26T20:49:21Z
date: Tue, 26 Mar 2024 20:49:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388205_1XK6USC5L144RCKHV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388205_1XK6USC5L144RCKHV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response

64.62.191.222:1234

WScript.exe

260 B
5
204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=785f9f18e97f4acdab59273b66681c08&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=

HTTP Response

204
20.231.121.79:80

46 B
1
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
15
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.0kB
15
12
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239339388205_1XK6USC5L144RCKHV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

64.9kB
1.8MB
1341
1333

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300951_1DEESSRWOJQZD4FVQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301384_1HQXQBTAMSF7ILYA2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388204_1E5U0MVX24NIBYXOO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388205_1XK6USC5L144RCKHV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.1kB
8.0kB
13
11
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
15
14
96.17.178.174:80

8.8.8.8:53

19.53.126.40.in-addr.arpa

dns

213 B
157 B
3
1

DNS Request

19.53.126.40.in-addr.arpa

DNS Request

19.53.126.40.in-addr.arpa

DNS Request

19.53.126.40.in-addr.arpa
8.8.8.8:53

210.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

210.178.17.96.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

146 B
106 B
2
1

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

6.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

6.181.190.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

140 B
144 B
2
1

DNS Request

86.23.85.13.in-addr.arpa

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

171.39.242.20.in-addr.arpa

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

210 B
144 B
3
1

DNS Request

58.55.71.13.in-addr.arpa

DNS Request

58.55.71.13.in-addr.arpa

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

183.1.37.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

183.1.37.23.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

134.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

134.71.91.104.in-addr.arpa
8.8.8.8:53

202.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

202.178.17.96.in-addr.arpa
8.8.8.8:53

141.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

141.178.17.96.in-addr.arpa
8.8.8.8:53

178.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

178.178.17.96.in-addr.arpa
8.8.8.8:53

196.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

196.178.17.96.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

140.71.91.104.in-addr.arpa

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

174.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

174.178.17.96.in-addr.arpa

DNS Request

174.178.17.96.in-addr.arpa
8.8.8.8:53

44.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

44.56.20.217.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\333\why_do_you_cry_willy.bat

Filesize
2KB

MD5
56a64e3d2dabea79062ebd37c2695b87

SHA1
d3a7b4e9e3493c0c46bddb3973573511fc314ff9

SHA256
07ba63c69713fa2e4467e82eedc9c5eafd795ec3b85f1f38a9d3d4669cb4fba9

SHA512
260e82f73839361cc59a40c35ade0658d9ea22dd7b9af1a2937206bab77729ed9776e65765f521ee69cb6dde61d1dd8f0ba645ddc82440625f93b11c96928e7b

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\____000000_hello__.vbs

Filesize
895B

MD5
86ec234776348de7a66694604c483902

SHA1
761269b17829cd99955ca44b9d198d26b3532a7e

SHA256
b04079e6d07e7788fb3ae4aade8eb6ea11de6e8582e724cb349be30551a0f5bc

SHA512
6dc3f64dd4194eb635a8e791599de7bcf52ab275b46efac9c1c90b28b9669adc8f552680dee6cafb5ebe9af1f5f42f0c31159472dfae8b0e879d17b9a05bc5fa

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\_hello______22222_______.vbs

Filesize
611B

MD5
49386cb3be62579eaa9d21cd8f528c7d

SHA1
c2f47fe4e27c663a62190ab454434a3b21070597

SHA256
7838e77610ed9f0affd067cd57c610ee4af33411b286b3a24ad60f18135d6289

SHA512
23d6cdd86d6c2767e43b8cc79814e6663f376c017694ecc16f971fac140650e02b11a45f247ac302d70489ea9918a365a589f45025581ebc2b9a73b120fb34d8

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\poztfiz\popizdota.dot

Filesize
34B

MD5
aa5511a167a67e429a9fdf3ac25bce0e

SHA1
8ac961be922cdc3314ed342e809d68637e9ea1f2

SHA256
bcf768f1b7db9992ed293fee0d986033c0ed203ad7698cc3f0eec8faad6a4665

SHA512
736021521ab3062dd0b748fe989b942c52e2978e7d7313d66684518c4209a8816ccb7cd0229306c1f4fae1cac2c4d107fff52c9d027d4f04d0d4cb736ca53a10

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c0805e6fff9d30c65b91bc9284beac8e

SHA1
45456e27d6632159ed7e4403caa1a16721c3b603

SHA256
53f25ec3705be321e5d7c17acc6ea1aba6aae01e99223f97d97bcf288c5a8228

SHA512
34648a026528d9746f73d01f7600bf947fdee00ddf8525cb89338ebd9b51789f968a79b4c1671eeb96ac83f21788167980835cae8c0f86a550ff95bddfa3c2c3

Download Submit
memory/3472-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.