Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 11:27
Static task
static1
Behavioral task
behavioral1
Sample
345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe
-
Size
368KB
-
MD5
345c37943c7a7e1fd0098aab07fe3c86
-
SHA1
ff8d484c90feab90b94502fbcaff84b16eb9a280
-
SHA256
1e0fc6cf4d0b655fc2495aeb3890f382e00ec9060ab23fa0a035a5042cda6daa
-
SHA512
888e8d2f20ccf440107971e8268d06b34aa8c7e5c476f55544321780f30af52c731ada5cca83f015b607f3b61dc5be276199a9dd3cc50fd70ed47c38ca5495cd
-
SSDEEP
6144:GpWnsT313ntnJiuPn28TTc48OSswYLi9zdsPqw73hJfrhIN:+3Xnguf2ic/swVzWBJT4
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\07ba8bb00089d54f9f49\\gennt.exe\"" gennt.exe -
resource yara_rule behavioral2/memory/4900-0-0x00000000023D0000-0x00000000023DC000-memory.dmp buer behavioral2/memory/4900-4-0x00000000023C0000-0x00000000023CA000-memory.dmp buer behavioral2/memory/3648-17-0x00000000020D0000-0x00000000020DC000-memory.dmp buer -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation gennt.exe -
Deletes itself 1 IoCs
pid Process 3648 gennt.exe -
Executes dropped EXE 1 IoCs
pid Process 3648 gennt.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: gennt.exe File opened (read-only) \??\L: gennt.exe File opened (read-only) \??\P: gennt.exe File opened (read-only) \??\X: gennt.exe File opened (read-only) \??\N: gennt.exe File opened (read-only) \??\T: gennt.exe File opened (read-only) \??\V: gennt.exe File opened (read-only) \??\B: gennt.exe File opened (read-only) \??\E: gennt.exe File opened (read-only) \??\M: gennt.exe File opened (read-only) \??\Q: gennt.exe File opened (read-only) \??\R: gennt.exe File opened (read-only) \??\S: gennt.exe File opened (read-only) \??\U: gennt.exe File opened (read-only) \??\Y: gennt.exe File opened (read-only) \??\I: gennt.exe File opened (read-only) \??\J: gennt.exe File opened (read-only) \??\O: gennt.exe File opened (read-only) \??\K: gennt.exe File opened (read-only) \??\W: gennt.exe File opened (read-only) \??\A: gennt.exe File opened (read-only) \??\G: gennt.exe File opened (read-only) \??\H: gennt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 828 3476 WerFault.exe 99 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3648 gennt.exe 3648 gennt.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4900 345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe 4900 345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe 3648 gennt.exe 3648 gennt.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3648 4900 345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe 98 PID 4900 wrote to memory of 3648 4900 345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe 98 PID 4900 wrote to memory of 3648 4900 345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe 98 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 3476 3648 gennt.exe 99 PID 3648 wrote to memory of 4636 3648 gennt.exe 109 PID 3648 wrote to memory of 4636 3648 gennt.exe 109 PID 3648 wrote to memory of 4636 3648 gennt.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\ProgramData\07ba8bb00089d54f9f49\gennt.exeC:\ProgramData\07ba8bb00089d54f9f49\gennt.exe "C:\Users\Admin\AppData\Local\Temp\345c37943c7a7e1fd0098aab07fe3c86_JaffaCakes118.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\07ba8bb00089d54f9f49\gennt.exe3⤵PID:3476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 4804⤵
- Program crash
PID:828
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\07ba8bb00089d54f9f49}"3⤵PID:4636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3476 -ip 34761⤵PID:860
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0ERemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771; domain=.bing.com; expires=Thu, 05-Jun-2025 11:27:42 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 29BD0B88772D411C8A8E8BC430341C82 Ref B: LON04EDGE0612 Ref C: 2024-05-11T11:27:42Z
date: Sat, 11 May 2024 11:27:41 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0ERemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771; _EDGE_S=SID=01F3B3BF80FE6A1125ECA7C3812C6B17
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=EHpenbHhBkWxeprpS-S4et5bDBjfqpvP4Yjdubj8hbI; domain=.bing.com; expires=Thu, 05-Jun-2025 11:27:42 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 256D196E37594DC18B8B0E47A95FBE31 Ref B: LON04EDGE0612 Ref C: 2024-05-11T11:27:42Z
date: Sat, 11 May 2024 11:27:42 GMT
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
GEThttps://www.bing.com/aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893Remote address:2.17.196.65:443RequestGET /aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D7136E36F9A54401902E7BBCBC67E128 Ref B: FRAEDGE1205 Ref C: 2024-05-11T11:27:42Z
content-length: 0
date: Sat, 11 May 2024 11:27:42 GMT
set-cookie: _EDGE_S=SID=01F3B3BF80FE6A1125ECA7C3812C6B17; path=/; httponly; domain=bing.com
set-cookie: MUIDB=30896FF1F04566AB2F2A7B8DF1626771; path=/; httponly; expires=Thu, 05-Jun-2025 11:27:42 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.3dc41102.1715426862.d5b59a8
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:2.17.196.65:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=30896FF1F04566AB2F2A7B8DF1626771; _EDGE_S=SID=01F3B3BF80FE6A1125ECA7C3812C6B17; MSPTC=EHpenbHhBkWxeprpS-S4et5bDBjfqpvP4Yjdubj8hbI; MUIDB=30896FF1F04566AB2F2A7B8DF1626771
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Sat, 11 May 2024 11:27:43 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.3dc41102.1715426863.d5b5e8f
-
Remote address:8.8.8.8:53Request65.196.17.2.in-addr.arpaIN PTRResponse65.196.17.2.in-addr.arpaIN PTRa2-17-196-65deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 382817
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19C1E464511F43BB9038D38D20BEF4C6 Ref B: LON04EDGE0809 Ref C: 2024-05-11T11:29:21Z
date: Sat, 11 May 2024 11:29:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 464243
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C82704FE73884420A89139896D86141B Ref B: LON04EDGE0809 Ref C: 2024-05-11T11:29:21Z
date: Sat, 11 May 2024 11:29:20 GMT
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0Etls, http22.5kB 9.0kB 19 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0EHTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De86hMhsR0xNTMJI7uIgpLFJDVUCUxDHcLsVEPQS689h8rggLN-UyNaiQDSZeP0EFuYom31Cc2NqSUqgSQ-U1Gf4xT3-9uOS-ZkPUygYbdU8X6EVti93-u3Prab18DL7bfdeihjzv4uncxC_8DIWerVTuIHQTmAiE5wyis1-fbZgAXQKtHP%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd3eef8e39e6c1f0748bd9ec82d6385a0&TIME=20240426T135909Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0EHTTP Response
204 -
2.17.196.65:443https://www.bing.com/aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893tls, http21.5kB 5.4kB 17 12
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=ef12739d00b44171bf5f714850a0ef4f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135909Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893HTTP Response
200 -
2.17.196.65:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.7kB 6.4kB 18 12
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http230.6kB 884.0kB 648 644
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200 -
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
65.196.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.204.248.87.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5345c37943c7a7e1fd0098aab07fe3c86
SHA1ff8d484c90feab90b94502fbcaff84b16eb9a280
SHA2561e0fc6cf4d0b655fc2495aeb3890f382e00ec9060ab23fa0a035a5042cda6daa
SHA512888e8d2f20ccf440107971e8268d06b34aa8c7e5c476f55544321780f30af52c731ada5cca83f015b607f3b61dc5be276199a9dd3cc50fd70ed47c38ca5495cd