Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 11:27

General

  • Target

    345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    345c37943c7a7e1fd0098aab07fe3c86

  • SHA1

    ff8d484c90feab90b94502fbcaff84b16eb9a280

  • SHA256

    1e0fc6cf4d0b655fc2495aeb3890f382e00ec9060ab23fa0a035a5042cda6daa

  • SHA512

    888e8d2f20ccf440107971e8268d06b34aa8c7e5c476f55544321780f30af52c731ada5cca83f015b607f3b61dc5be276199a9dd3cc50fd70ed47c38ca5495cd

  • SSDEEP

    6144:GpWnsT313ntnJiuPn28TTc48OSswYLi9zdsPqw73hJfrhIN:+3Xnguf2ic/swVzWBJT4

Score
10/10

Malware Config

Extracted

Family

buer

C2

https://162.244.81.87/

http://162.244.81.87:8080/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\ProgramData\07ba8bb00089d54f9f49\gennt.exe
      C:\ProgramData\07ba8bb00089d54f9f49\gennt.exe "C:\Users\Admin\AppData\Local\Temp\345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe" ensgJJ
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\SysWOW64\secinit.exe
        C:\ProgramData\07ba8bb00089d54f9f49\gennt.exe
        3⤵
          PID:3476
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 480
            4⤵
            • Program crash
            PID:828
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\07ba8bb00089d54f9f49}"
          3⤵
            PID:4636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3476 -ip 3476
        1⤵
          PID:860

        Network

        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771; domain=.bing.com; expires=Thu, 05-Jun-2025 11:27:42 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 29BD0B88772D411C8A8E8BC430341C82 Ref B: LON04EDGE0612 Ref C: 2024-05-11T11:27:42Z
          date: Sat, 11 May 2024 11:27:41 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771; _EDGE_S=SID=01F3B3BF80FE6A1125ECA7C3812C6B17
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=EHpenbHhBkWxeprpS-S4et5bDBjfqpvP4Yjdubj8hbI; domain=.bing.com; expires=Thu, 05-Jun-2025 11:27:42 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 256D196E37594DC18B8B0E47A95FBE31 Ref B: LON04EDGE0612 Ref C: 2024-05-11T11:27:42Z
          date: Sat, 11 May 2024 11:27:42 GMT
        • flag-us
          DNS
          104.219.191.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          104.219.191.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          79.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          79.190.18.2.in-addr.arpa
          IN PTR
          Response
          79.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-79deploystaticakamaitechnologiescom
        • flag-be
          GET
          https://www.bing.com/aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893
          Remote address:
          2.17.196.65:443
          Request
          GET /aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893 HTTP/2.0
          host: www.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771
          Response
          HTTP/2.0 200
          cache-control: private,no-store
          pragma: no-cache
          vary: Origin
          p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: D7136E36F9A54401902E7BBCBC67E128 Ref B: FRAEDGE1205 Ref C: 2024-05-11T11:27:42Z
          content-length: 0
          date: Sat, 11 May 2024 11:27:42 GMT
          set-cookie: _EDGE_S=SID=01F3B3BF80FE6A1125ECA7C3812C6B17; path=/; httponly; domain=bing.com
          set-cookie: MUIDB=30896FF1F04566AB2F2A7B8DF1626771; path=/; httponly; expires=Thu, 05-Jun-2025 11:27:42 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.3dc41102.1715426862.d5b59a8
        • flag-us
          DNS
          75.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          75.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-be
          GET
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          Remote address:
          2.17.196.65:443
          Request
          GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
          host: www.bing.com
          accept: */*
          cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771; _EDGE_S=SID=01F3B3BF80FE6A1125ECA7C3812C6B17; MSPTC=EHpenbHhBkWxeprpS-S4et5bDBjfqpvP4Yjdubj8hbI; MUIDB=30896FF1F04566AB2F2A7B8DF1626771
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-type: image/png
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          content-length: 1107
          date: Sat, 11 May 2024 11:27:43 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.3dc41102.1715426863.d5b5e8f
        • flag-us
          DNS
          65.196.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          65.196.17.2.in-addr.arpa
          IN PTR
          Response
          65.196.17.2.in-addr.arpa
          IN PTR
          a2-17-196-65deploystaticakamaitechnologiescom
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          103.169.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          103.169.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          171.39.242.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          171.39.242.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          0.204.248.87.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.204.248.87.in-addr.arpa
          IN PTR
          Response
          0.204.248.87.in-addr.arpa
          IN PTR
          https-87-248-204-0lhrllnwnet
        • flag-us
          DNS
          19.229.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          19.229.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          77.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          77.190.18.2.in-addr.arpa
          IN PTR
          Response
          77.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-77deploystaticakamaitechnologiescom
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 382817
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 19C1E464511F43BB9038D38D20BEF4C6 Ref B: LON04EDGE0809 Ref C: 2024-05-11T11:29:21Z
          date: Sat, 11 May 2024 11:29:20 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 464243
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: C82704FE73884420A89139896D86141B Ref B: LON04EDGE0809 Ref C: 2024-05-11T11:29:21Z
          date: Sat, 11 May 2024 11:29:20 GMT
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E
          tls, http2
          2.5kB
          9.0kB
          19
          17

          HTTP Request

          GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

          HTTP Response

          204
        • 2.17.196.65:443
          https://www.bing.com/aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893
          tls, http2
          1.5kB
          5.4kB
          17
          12

          HTTP Request

          GET https://www.bing.com/aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893

          HTTP Response

          200
        • 2.17.196.65:443
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          tls, http2
          1.7kB
          6.4kB
          18
          12

          HTTP Request

          GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

          HTTP Response

          200
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          14
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          30.6kB
          884.0kB
          648
          644

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200
        • 162.244.81.87:443
          gennt.exe
          260 B
          200 B
          5
          5
        • 162.244.81.87:443
          gennt.exe
          260 B
          200 B
          5
          5
        • 162.244.81.87:443
          gennt.exe
          260 B
          200 B
          5
          5
        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
          151 B
          1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          104.219.191.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          104.219.191.52.in-addr.arpa

        • 8.8.8.8:53
          79.190.18.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          79.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          75.159.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          75.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
          143 B
          1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          65.196.17.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          65.196.17.2.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          28.118.140.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          28.118.140.52.in-addr.arpa

        • 8.8.8.8:53
          103.169.127.40.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          103.169.127.40.in-addr.arpa

        • 8.8.8.8:53
          171.39.242.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          171.39.242.20.in-addr.arpa

        • 8.8.8.8:53
          0.204.248.87.in-addr.arpa
          dns
          71 B
          116 B
          1
          1

          DNS Request

          0.204.248.87.in-addr.arpa

        • 8.8.8.8:53
          19.229.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          19.229.111.52.in-addr.arpa

        • 8.8.8.8:53
          77.190.18.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          77.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
          173 B
          1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\07ba8bb00089d54f9f49\gennt.exe

          Filesize

          368KB

          MD5

          345c37943c7a7e1fd0098aab07fe3c86

          SHA1

          ff8d484c90feab90b94502fbcaff84b16eb9a280

          SHA256

          1e0fc6cf4d0b655fc2495aeb3890f382e00ec9060ab23fa0a035a5042cda6daa

          SHA512

          888e8d2f20ccf440107971e8268d06b34aa8c7e5c476f55544321780f30af52c731ada5cca83f015b607f3b61dc5be276199a9dd3cc50fd70ed47c38ca5495cd

        • memory/3476-25-0x00000000005F0000-0x00000000005F1000-memory.dmp

          Filesize

          4KB

        • memory/3648-17-0x00000000020D0000-0x00000000020DC000-memory.dmp

          Filesize

          48KB

        • memory/3648-21-0x00000000020B0000-0x00000000020B7000-memory.dmp

          Filesize

          28KB

        • memory/3648-27-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

        • memory/4900-0-0x00000000023D0000-0x00000000023DC000-memory.dmp

          Filesize

          48KB

        • memory/4900-4-0x00000000023C0000-0x00000000023CA000-memory.dmp

          Filesize

          40KB

        • memory/4900-5-0x00000000023B0000-0x00000000023B7000-memory.dmp

          Filesize

          28KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.