Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 15:27

General

  • Target

    Comprobante.exe

  • Size

    180KB

  • MD5

    a5825c821946808fb1f3b22645fbfd9d

  • SHA1

    d0906a55b742bd11e29c2bf6a87dfe3a6dbd547e

  • SHA256

    a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790

  • SHA512

    a377a82e2f14909f69958874fd62eec318fd67e266415aa8b6a088c230e7d3fa1833cb8d94dcf660a7c5d6e60817369d10a5694f4577f65b30315a9f91f93043

  • SSDEEP

    3072:+h9LvhVRMQ8at9vMJdr5QckDMV3HycZg8dZuFyjwUZpVTdlRI:tFaj8mMxHy9yQyjwUZpVTdLI

Malware Config

Extracted

Family

xenorat

C2

dns.requimacofradian.site

Mutex

Xeno_rat_nd8828g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1253

  • startup_name

    dic

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Comprobante.exe
    "C:\Users\Admin\AppData\Local\Temp\Comprobante.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Local\Temp\Comprobante.exe
      C:\Users\Admin\AppData\Local\Temp\Comprobante.exe
      2⤵
        PID:2936
      • C:\Users\Admin\AppData\Local\Temp\Comprobante.exe
        C:\Users\Admin\AppData\Local\Temp\Comprobante.exe
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe
            4⤵
            • Executes dropped EXE
            PID:1720
          • C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe
            4⤵
            • Executes dropped EXE
            PID:2560
          • C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe
            4⤵
            • Executes dropped EXE
            PID:2152
      • C:\Users\Admin\AppData\Local\Temp\Comprobante.exe
        C:\Users\Admin\AppData\Local\Temp\Comprobante.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "dic" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C6A.tmp" /F
          3⤵
          • Creates scheduled task(s)
          PID:1560

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=107A8A2A40C5613F08EE9E53417E60E6; domain=.bing.com; expires=Mon, 02-Jun-2025 15:27:08 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 78345249A1484C5C91C4D6095ABD8930 Ref B: LON04EDGE0807 Ref C: 2024-05-08T15:27:08Z
      date: Wed, 08 May 2024 15:27:08 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=107A8A2A40C5613F08EE9E53417E60E6; _EDGE_S=SID=16EE27B466EA6877356833CD679369C8
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=G0U9Hl7wr-Dg-Jwfv4J8A9dRcNEkRjT97oXBnmyRsx4; domain=.bing.com; expires=Mon, 02-Jun-2025 15:27:09 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 7C3C77F6DD3745208A6FC3EEA57DF375 Ref B: LON04EDGE0807 Ref C: 2024-05-08T15:27:09Z
      date: Wed, 08 May 2024 15:27:09 GMT
    • flag-nl
      GET
      https://www.bing.com/aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266
      Remote address:
      23.62.61.121:443
      Request
      GET /aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266 HTTP/2.0
      host: www.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=107A8A2A40C5613F08EE9E53417E60E6
      Response
      HTTP/2.0 200
      cache-control: private,no-store
      pragma: no-cache
      vary: Origin
      p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: FBAA3AE303E54C8D8BDD09A133DF5EB2 Ref B: LON212050706037 Ref C: 2024-05-08T15:27:09Z
      content-length: 0
      date: Wed, 08 May 2024 15:27:09 GMT
      set-cookie: _EDGE_S=SID=16EE27B466EA6877356833CD679369C8; path=/; httponly; domain=bing.com
      set-cookie: MUIDB=107A8A2A40C5613F08EE9E53417E60E6; path=/; httponly; expires=Mon, 02-Jun-2025 15:27:09 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.753d3e17.1715182029.599fe0c
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.177.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.177.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      121.61.62.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      121.61.62.23.in-addr.arpa
      IN PTR
      Response
      121.61.62.23.in-addr.arpa
      IN PTR
      a23-62-61-121deploystaticakamaitechnologiescom
    • flag-nl
      GET
      https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      23.62.61.121:443
      Request
      GET /th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      cookie: MUID=107A8A2A40C5613F08EE9E53417E60E6; _EDGE_S=SID=16EE27B466EA6877356833CD679369C8; MSPTC=G0U9Hl7wr-Dg-Jwfv4J8A9dRcNEkRjT97oXBnmyRsx4; MUIDB=107A8A2A40C5613F08EE9E53417E60E6
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1463
      date: Wed, 08 May 2024 15:27:10 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.753d3e17.1715182030.59a04c3
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      135.126.19.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      135.126.19.2.in-addr.arpa
      IN PTR
      Response
      135.126.19.2.in-addr.arpa
      IN PTR
      a2-19-126-135deploystaticakamaitechnologiescom
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • flag-us
      DNS
      dns.requimacofradian.site
      Comprobante.exe
      Remote address:
      8.8.8.8:53
      Request
      dns.requimacofradian.site
      IN A
      Response
      dns.requimacofradian.site
      IN A
      91.92.243.131
    • flag-us
      DNS
      131.243.92.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      131.243.92.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 638730
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 31CBE070FAE84C6FB27ECCB77B6A0023 Ref B: LON04EDGE1220 Ref C: 2024-05-08T15:28:46Z
      date: Wed, 08 May 2024 15:28:45 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 496166
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D0028F7171114E91A533911B34554406 Ref B: LON04EDGE1220 Ref C: 2024-05-08T15:28:46Z
      date: Wed, 08 May 2024 15:28:45 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239351691769_17S178H4I11J3APXJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239351691769_17S178H4I11J3APXJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 415458
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F9A46CD7DA2D4991BFDBC46DE99AB11B Ref B: LON04EDGE1220 Ref C: 2024-05-08T15:28:46Z
      date: Wed, 08 May 2024 15:28:45 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239351691770_1IUJHOACLFVRNOEKH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239351691770_1IUJHOACLFVRNOEKH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 496229
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 625C30CB856A418997977AE5A3EF4EFD Ref B: LON04EDGE1220 Ref C: 2024-05-08T15:28:46Z
      date: Wed, 08 May 2024 15:28:45 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 555746
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4CB950916FF14DA58FBAF81776D23BDE Ref B: LON04EDGE1220 Ref C: 2024-05-08T15:28:46Z
      date: Wed, 08 May 2024 15:28:45 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    • flag-us
      DNS
      8.179.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.179.89.13.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF
      tls, http2
      2.5kB
      9.0kB
      19
      17

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

      HTTP Response

      204
    • 23.62.61.121:443
      https://www.bing.com/aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266
      tls, http2
      1.5kB
      5.4kB
      17
      13

      HTTP Request

      GET https://www.bing.com/aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

      HTTP Response

      200
    • 23.62.61.121:443
      https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.7kB
      6.8kB
      18
      14

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 91.92.243.131:1253
      dns.requimacofradian.site
      Comprobante.exe
      808 B
      655 B
      12
      10
    • 91.92.243.131:1253
      dns.requimacofradian.site
      Comprobante.exe
      5.0kB
      7.7kB
      80
      150
    • 91.92.243.131:1253
      dns.requimacofradian.site
      Comprobante.exe
      3.4kB
      4.1kB
      44
      80
    • 91.92.243.131:1253
      dns.requimacofradian.site
      Comprobante.exe
      18.1kB
      1.0MB
      387
      751
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      tls, http2
      69.2kB
      1.9MB
      1418
      1419

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239351691769_17S178H4I11J3APXJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239351691770_1IUJHOACLFVRNOEKH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      15
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      15
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      15
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      15
      13
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
      143 B
      1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      149.177.190.20.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      149.177.190.20.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      121.61.62.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      121.61.62.23.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      135.126.19.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      135.126.19.2.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      dns.requimacofradian.site
      dns
      Comprobante.exe
      71 B
      87 B
      1
      1

      DNS Request

      dns.requimacofradian.site

      DNS Response

      91.92.243.131

    • 8.8.8.8:53
      131.243.92.91.in-addr.arpa
      dns
      72 B
      132 B
      1
      1

      DNS Request

      131.243.92.91.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      173 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      8.179.89.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      8.179.89.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Comprobante.exe.log

      Filesize

      522B

      MD5

      0f39d6b9afc039d81ff31f65cbf76826

      SHA1

      8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

      SHA256

      ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

      SHA512

      5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

    • C:\Users\Admin\AppData\Local\Temp\tmp2C6A.tmp

      Filesize

      1KB

      MD5

      8bebc590162576dee61b15d4b1a8e92f

      SHA1

      9c6e52f7a46d097a842837a8ea6ba21027f42535

      SHA256

      4c5a48fd2b642faeef01fad4ff1ef01e8e4c63c6d87997a04e46489b3dbb466c

      SHA512

      64a143fe89a53bc349f6624c169231a7673bd7798abf74b30fdc89ebd0f4b95859173e06b18a402ad72eea5ca2f6408c396f0be4a60b0dfc15f32cbd4fe6ec6a

    • C:\Users\Admin\AppData\Roaming\XenoManager\Comprobante.exe

      Filesize

      180KB

      MD5

      a5825c821946808fb1f3b22645fbfd9d

      SHA1

      d0906a55b742bd11e29c2bf6a87dfe3a6dbd547e

      SHA256

      a340745a55997188efd34c9d83c186de3b899c3b98d05982f327f142deafe790

      SHA512

      a377a82e2f14909f69958874fd62eec318fd67e266415aa8b6a088c230e7d3fa1833cb8d94dcf660a7c5d6e60817369d10a5694f4577f65b30315a9f91f93043

    • memory/1752-29-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/1752-14-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/1824-1-0x00000000004F0000-0x0000000000526000-memory.dmp

      Filesize

      216KB

    • memory/1824-2-0x0000000004E20000-0x0000000004E44000-memory.dmp

      Filesize

      144KB

    • memory/1824-3-0x0000000004F50000-0x0000000004FEC000-memory.dmp

      Filesize

      624KB

    • memory/1824-4-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/1824-0-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

      Filesize

      4KB

    • memory/1824-15-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/2936-10-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/2936-13-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/2936-5-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/3120-30-0x0000000000A70000-0x0000000000A94000-memory.dmp

      Filesize

      144KB

    • memory/5040-18-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/5040-38-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/5040-16-0x0000000074F40000-0x00000000756F0000-memory.dmp

      Filesize

      7.7MB

    • memory/5040-41-0x00000000060E0000-0x0000000006146000-memory.dmp

      Filesize

      408KB

    • memory/5040-42-0x0000000006350000-0x000000000644A000-memory.dmp

      Filesize

      1000KB

    • memory/5040-43-0x0000000006620000-0x00000000067E2000-memory.dmp

      Filesize

      1.8MB

    • memory/5040-44-0x00000000064D0000-0x0000000006546000-memory.dmp

      Filesize

      472KB

    • memory/5040-45-0x0000000006550000-0x00000000065A0000-memory.dmp

      Filesize

      320KB

    • memory/5040-46-0x0000000006D20000-0x000000000724C000-memory.dmp

      Filesize

      5.2MB

    • memory/5040-47-0x00000000068F0000-0x000000000690E000-memory.dmp

      Filesize

      120KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.