Overview

overview

7

Static

static

3

cryptolaemus

windows10-2004-x64

7

cryptolaemus

windows11-21h2-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 09:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe

  • Size

    192KB

  • MD5

    9e8baf127b832943d4fae218ce90191a

  • SHA1

    449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70

  • SHA256

    fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0

  • SHA512

    9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114

  • SSDEEP

    6144:b05H0JNb+gzTy9ZRTbPG9rYxf2hnbSayKTTfq+T/ur:A+uHG9rYxf2hnbSayKTTfq+T/ur

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
    "C:\Users\Admin\AppData\Local\Temp\fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1536
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "yar"
      2⤵
        PID:2120
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1C.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:4920
    • C:\Users\Admin\AppData\Roaming\yar.exe
      C:\Users\Admin\AppData\Roaming\yar.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4768
    • C:\Users\Admin\AppData\Roaming\yar.exe
      C:\Users\Admin\AppData\Roaming\yar.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1688

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=34A88206CB9C6FAB1E899678CABB6E40; domain=.bing.com; expires=Sat, 07-Jun-2025 09:19:27 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D4A03F64B1904354BC0DFD826C739203 Ref B: LON04EDGE0716 Ref C: 2024-05-13T09:19:27Z
      date: Mon, 13 May 2024 09:19:27 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=34A88206CB9C6FAB1E899678CABB6E40; _EDGE_S=SID=162423C6574E6AAD12FC37B856486BF8
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=C_adWsRJE0ICDsy3D0VQPfXt22xqUcwR7Z-axJSn4Aw; domain=.bing.com; expires=Sat, 07-Jun-2025 09:19:28 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 9DEE59E8C3F3401B9BFBF04B49495F9B Ref B: LON04EDGE0716 Ref C: 2024-05-13T09:19:28Z
      date: Mon, 13 May 2024 09:19:27 GMT
    • flag-nl
      GET
      https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
      Remote address:
      23.62.61.138:443
      Request
      GET /aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
      host: www.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=34A88206CB9C6FAB1E899678CABB6E40
      Response
      HTTP/2.0 200
      cache-control: private,no-store
      pragma: no-cache
      vary: Origin
      p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 3688338115324E8E880A556E48CF64F8 Ref B: LON212050702023 Ref C: 2024-05-13T09:19:28Z
      content-length: 0
      date: Mon, 13 May 2024 09:19:28 GMT
      set-cookie: _EDGE_S=SID=162423C6574E6AAD12FC37B856486BF8; path=/; httponly; domain=bing.com
      set-cookie: MUIDB=34A88206CB9C6FAB1E899678CABB6E40; path=/; httponly; expires=Sat, 07-Jun-2025 09:19:28 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.863d3e17.1715591968.915aac4
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      138.61.62.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      138.61.62.23.in-addr.arpa
      IN PTR
      Response
      138.61.62.23.in-addr.arpa
      IN PTR
      a23-62-61-138deploystaticakamaitechnologiescom
    • flag-us
      DNS
      0.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-nl
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      23.62.61.138:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      cookie: MUID=34A88206CB9C6FAB1E899678CABB6E40; _EDGE_S=SID=162423C6574E6AAD12FC37B856486BF8; MSPTC=C_adWsRJE0ICDsy3D0VQPfXt22xqUcwR7Z-axJSn4Aw; MUIDB=34A88206CB9C6FAB1E899678CABB6E40
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Mon, 13 May 2024 09:19:29 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.863d3e17.1715591969.915b0a0
    • flag-us
      DNS
      politics-fiber.gl.at.ply.gg
      fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
      Remote address:
      8.8.8.8:53
      Request
      politics-fiber.gl.at.ply.gg
      IN A
      Response
      politics-fiber.gl.at.ply.gg
      IN A
      147.185.221.19
    • flag-us
      DNS
      19.221.185.147.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.204.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.204.248.87.in-addr.arpa
      IN PTR
      Response
      0.204.248.87.in-addr.arpa
      IN PTR
      https-87-248-204-0lhrllnwnet
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 464243
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 12E152F95A6942CD9A5DBF06CF4D8970 Ref B: LON04EDGE1019 Ref C: 2024-05-13T09:21:03Z
      date: Mon, 13 May 2024 09:21:03 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 382817
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 093AF5A1A0714BBA9A1F6236F62EAF71 Ref B: LON04EDGE1019 Ref C: 2024-05-13T09:21:03Z
      date: Mon, 13 May 2024 09:21:03 GMT
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      24.73.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.73.42.20.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
      tls, http2
      2.5kB
       9.0kB
       20
      16

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

      HTTP Response

      204
    • 23.62.61.138:443
      https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
      tls, http2
      1.5kB
       5.4kB
       17
      11

      HTTP Request

      GET https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

      HTTP Response

      200
    • 23.62.61.138:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.7kB
       6.4kB
       18
      12

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 147.185.221.19:47430
      politics-fiber.gl.at.ply.gg
      fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
      1.7kB
       1.1kB
       23
      22
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.1kB
       16
      13
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      32.1kB
       884.1kB
       651
      648

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      132 B
       90 B
       2
      1

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      140 B
       144 B
       2
      1

      DNS Request

      58.55.71.13.in-addr.arpa

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       151 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
       143 B
       1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      138.61.62.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      138.61.62.23.in-addr.arpa

    • 8.8.8.8:53
      0.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      0.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      politics-fiber.gl.at.ply.gg
      dns
      fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
      73 B
       89 B
       1
      1

      DNS Request

      politics-fiber.gl.at.ply.gg

      DNS Response

      147.185.221.19

    • 8.8.8.8:53
      19.221.185.147.in-addr.arpa
      dns
      73 B
       130 B
       1
      1

      DNS Request

      19.221.185.147.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      0.204.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.204.248.87.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      22.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      22.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      124 B
       173 B
       2
      1

      DNS Request

      tse1.mm.bing.net

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      24.73.42.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      24.73.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yar.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC1C.tmp.bat
      Filesize

      215B

      MD5

      c1c6a86da12e4595aafbb3300b21abe8

      SHA1

      cc8f7e3a59590564aa367df4bde457b8991636ad

      SHA256

      d99b9db6902341158e73e20b66208322528a4284280b330af20b1363388cb50d

      SHA512

      25172cb2706aae44d0f775b0a4eed0e4fb138f84e5bec34938f410e504d8e2833a40e9be4b9f68d3f6fbaf0e45bc8f8ae154185075f234f68b6d5a920af942ba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\yar.exe
      Filesize

      192KB

      MD5

      9e8baf127b832943d4fae218ce90191a

      SHA1

      449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70

      SHA256

      fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0

      SHA512

      9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114

      Download Submit

    • memory/2724-1-0x0000000000DE0000-0x0000000000E18000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2724-0-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2724-2-0x00000000013B0000-0x00000000013B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2724-3-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2724-5-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2724-6-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2724-17-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4768-9-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4768-11-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.