3d67b720ce52bf29c3a699956834f69a24fdfee7f51bf9557c9c1e3650073126

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 17:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473d572e42e2dffd695d12296cb28380_JaffaCakes118.exe
Size

273KB
MD5

473d572e42e2dffd695d12296cb28380
SHA1

04cff8b46c433182655771756da209311e1de595
SHA256

3d67b720ce52bf29c3a699956834f69a24fdfee7f51bf9557c9c1e3650073126
SHA512

554b6880205aa81eff0405c1eb5e7e8db37f3fce85b5916fa7c631f7d3818c599dd2b6ac58bfbfd9c965278e69ccccd61804e903326a9fd5febafe71669c517e
SSDEEP

6144:4FJ0PPMFxGlq9IMoZiUr5e1MmXK2PFLpVVBqT5ldhtDjYZNI:7UZ9hYZrc1pXZNd/BqT5ljtXYZN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
320	befbfefdfd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
600	320	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4424	wmic.exe
Token: SeSecurityPrivilege	4424	wmic.exe
Token: SeTakeOwnershipPrivilege	4424	wmic.exe
Token: SeLoadDriverPrivilege	4424	wmic.exe
Token: SeSystemProfilePrivilege	4424	wmic.exe
Token: SeSystemtimePrivilege	4424	wmic.exe
Token: SeProfSingleProcessPrivilege	4424	wmic.exe
Token: SeIncBasePriorityPrivilege	4424	wmic.exe
Token: SeCreatePagefilePrivilege	4424	wmic.exe
Token: SeBackupPrivilege	4424	wmic.exe
Token: SeRestorePrivilege	4424	wmic.exe
Token: SeShutdownPrivilege	4424	wmic.exe
Token: SeDebugPrivilege	4424	wmic.exe
Token: SeSystemEnvironmentPrivilege	4424	wmic.exe
Token: SeRemoteShutdownPrivilege	4424	wmic.exe
Token: SeUndockPrivilege	4424	wmic.exe
Token: SeManageVolumePrivilege	4424	wmic.exe
Token: 33	4424	wmic.exe
Token: 34	4424	wmic.exe
Token: 35	4424	wmic.exe
Token: 36	4424	wmic.exe
Token: SeIncreaseQuotaPrivilege	4424	wmic.exe
Token: SeSecurityPrivilege	4424	wmic.exe
Token: SeTakeOwnershipPrivilege	4424	wmic.exe
Token: SeLoadDriverPrivilege	4424	wmic.exe
Token: SeSystemProfilePrivilege	4424	wmic.exe
Token: SeSystemtimePrivilege	4424	wmic.exe
Token: SeProfSingleProcessPrivilege	4424	wmic.exe
Token: SeIncBasePriorityPrivilege	4424	wmic.exe
Token: SeCreatePagefilePrivilege	4424	wmic.exe
Token: SeBackupPrivilege	4424	wmic.exe
Token: SeRestorePrivilege	4424	wmic.exe
Token: SeShutdownPrivilege	4424	wmic.exe
Token: SeDebugPrivilege	4424	wmic.exe
Token: SeSystemEnvironmentPrivilege	4424	wmic.exe
Token: SeRemoteShutdownPrivilege	4424	wmic.exe
Token: SeUndockPrivilege	4424	wmic.exe
Token: SeManageVolumePrivilege	4424	wmic.exe
Token: 33	4424	wmic.exe
Token: 34	4424	wmic.exe
Token: 35	4424	wmic.exe
Token: 36	4424	wmic.exe
Token: SeIncreaseQuotaPrivilege	4508	wmic.exe
Token: SeSecurityPrivilege	4508	wmic.exe
Token: SeTakeOwnershipPrivilege	4508	wmic.exe
Token: SeLoadDriverPrivilege	4508	wmic.exe
Token: SeSystemProfilePrivilege	4508	wmic.exe
Token: SeSystemtimePrivilege	4508	wmic.exe
Token: SeProfSingleProcessPrivilege	4508	wmic.exe
Token: SeIncBasePriorityPrivilege	4508	wmic.exe
Token: SeCreatePagefilePrivilege	4508	wmic.exe
Token: SeBackupPrivilege	4508	wmic.exe
Token: SeRestorePrivilege	4508	wmic.exe
Token: SeShutdownPrivilege	4508	wmic.exe
Token: SeDebugPrivilege	4508	wmic.exe
Token: SeSystemEnvironmentPrivilege	4508	wmic.exe
Token: SeRemoteShutdownPrivilege	4508	wmic.exe
Token: SeUndockPrivilege	4508	wmic.exe
Token: SeManageVolumePrivilege	4508	wmic.exe
Token: 33	4508	wmic.exe
Token: 34	4508	wmic.exe
Token: 35	4508	wmic.exe
Token: 36	4508	wmic.exe
Token: SeIncreaseQuotaPrivilege	4508	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 320	848	473d572e42e2dffd695d12296cb28380_JaffaCakes118.exe	82
PID 848 wrote to memory of 320	848	473d572e42e2dffd695d12296cb28380_JaffaCakes118.exe	82
PID 848 wrote to memory of 320	848	473d572e42e2dffd695d12296cb28380_JaffaCakes118.exe	82
PID 320 wrote to memory of 4424	320	befbfefdfd.exe	83
PID 320 wrote to memory of 4424	320	befbfefdfd.exe	83
PID 320 wrote to memory of 4424	320	befbfefdfd.exe	83
PID 320 wrote to memory of 4508	320	befbfefdfd.exe	87
PID 320 wrote to memory of 4508	320	befbfefdfd.exe	87
PID 320 wrote to memory of 4508	320	befbfefdfd.exe	87
PID 320 wrote to memory of 1548	320	befbfefdfd.exe	89
PID 320 wrote to memory of 1548	320	befbfefdfd.exe	89
PID 320 wrote to memory of 1548	320	befbfefdfd.exe	89
PID 320 wrote to memory of 3224	320	befbfefdfd.exe	92
PID 320 wrote to memory of 3224	320	befbfefdfd.exe	92
PID 320 wrote to memory of 3224	320	befbfefdfd.exe	92
PID 320 wrote to memory of 1476	320	befbfefdfd.exe	94
PID 320 wrote to memory of 1476	320	befbfefdfd.exe	94
PID 320 wrote to memory of 1476	320	befbfefdfd.exe	94

C:\Users\Admin\AppData\Local\Temp\473d572e42e2dffd695d12296cb28380_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\473d572e42e2dffd695d12296cb28380_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\befbfefdfd.exe
  C:\Users\Admin\AppData\Local\Temp\befbfefdfd.exe 5#2#4#6#8#3#3#1#8#0#7 Kk5FPjUvMDIqNxkqUVE8SEZBPCggKElDUFFHT0hIPD0qGy1AQ0tRRkM1MjIyNCwaJ0BGQzUwGSpOTkk8UkBTV0k9ODA1KigtHS5LRUtRQ05ZTU9JPGB0bWs4Kylrb3MtPEVMRitQSUgqPk9ILkJJREsaJ0BJSDtLQj87by48RW9DTnAxbkZdWUZTSEVPVTpfbVJmR0p3b0BuTEtlTW9RLWFJTTVqcFdJMldzRkdfZWksd2BUPDFAcl1jUj5hTm4oTVBVbnE6Lm1VK05AbUNEZzJvYj9waVBfRWFISmZgdTs/cnZNMHVHSkIpTU1IRlYYLz0sOykrGCxBMTUtKhstQC01Ki4fJ0QtOCstGidBMjwlMRkqTk5JPFJAU1dQS0RUPT1ROh0uSFJIP1M/TldCUks5PRkqTk5JPFJAU1dOOkhDOT0lNDEwLUY/MjItLyZvXnEYLz5TQ1tPSkk6HydFUUBdP0c8SUZNPT0ZKkZLTUxcP1FHV0xAUDkvGCxRRzlORFRNUVlNT0k8GC9PSDsuGidBUDA1MSoxLhwpSlJLU0FNPlpVQUY7TEpEQU06QkNRTEQ6HS5BU1hNU0pOQUpCPGxybmAeK0w9UVJRRklHQl1RTT1PXEM5WUw4MBwpQEZBRFA9KhstRU1XQVZNOU1CPl1BSDtPVk9MRT04ZF1ma2IdLjxPUElKSzs8XEZPNTIpMywtKygrNjImMSstHitKOU8+S0RFRVpHSk1MPklLNXRrcGMcKUxGSkQ1MS0wLzEwLzYuMRgvPUpVSkZHPkFeTElGQDstLCcwLi4qMCowKC00KTU3MioqSUg=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715794069.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715794069.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715794069.txt bios get version
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715794069.txt bios get version
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81715794069.txt bios get version
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 852
    3⤵
    - Program crash
    PID:600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 320 -ip 320
1⤵
PID:1508

Network

DNS

srv.desk-top-app.info

befbfefdfd.exe

Remote address:

8.8.8.8:53

Request

srv.desk-top-app.info

IN A

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

142.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.53.16.96.in-addr.arpa

IN PTR

Response

142.53.16.96.in-addr.arpa

IN PTR

a96-16-53-142deploystaticakamaitechnologiescom
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8z3UcYspxWRxGCb4I_McjRjVUCUwGjqDckN_05D-QpT9jXTgIeUbW3oBr3BQ3VKzWXEhgDHXtIGuX4dWX0WZL43o25iFLy3-4LMeT7L7oY3-nbd-WQgLquUaFc_F_-39A10ljVMVH8kGikauJhbd6MjjQyQL78dvyuyyFFNPk516BKP53%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc0d46288a21b1c4c4ef704b3ca5cb400&TIME=20240515T172851Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8z3UcYspxWRxGCb4I_McjRjVUCUwGjqDckN_05D-QpT9jXTgIeUbW3oBr3BQ3VKzWXEhgDHXtIGuX4dWX0WZL43o25iFLy3-4LMeT7L7oY3-nbd-WQgLquUaFc_F_-39A10ljVMVH8kGikauJhbd6MjjQyQL78dvyuyyFFNPk516BKP53%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc0d46288a21b1c4c4ef704b3ca5cb400&TIME=20240515T172851Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=36D29B59A56563C50FB28FD9A4426241; domain=.bing.com; expires=Mon, 09-Jun-2025 17:29:26 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1E6A65F7C1394FBFBFAD294F3FBD86D5 Ref B: LON04EDGE0720 Ref C: 2024-05-15T17:29:26Z
date: Wed, 15 May 2024 17:29:25 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8z3UcYspxWRxGCb4I_McjRjVUCUwGjqDckN_05D-QpT9jXTgIeUbW3oBr3BQ3VKzWXEhgDHXtIGuX4dWX0WZL43o25iFLy3-4LMeT7L7oY3-nbd-WQgLquUaFc_F_-39A10ljVMVH8kGikauJhbd6MjjQyQL78dvyuyyFFNPk516BKP53%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc0d46288a21b1c4c4ef704b3ca5cb400&TIME=20240515T172851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8z3UcYspxWRxGCb4I_McjRjVUCUwGjqDckN_05D-QpT9jXTgIeUbW3oBr3BQ3VKzWXEhgDHXtIGuX4dWX0WZL43o25iFLy3-4LMeT7L7oY3-nbd-WQgLquUaFc_F_-39A10ljVMVH8kGikauJhbd6MjjQyQL78dvyuyyFFNPk516BKP53%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc0d46288a21b1c4c4ef704b3ca5cb400&TIME=20240515T172851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=36D29B59A56563C50FB28FD9A4426241; _EDGE_S=SID=2957AE03303264E712E6BA83317A654F

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=JB0zdMxrqBlV5jTmreupjPbLE3QJWxdUZuLVxa1D5T8; domain=.bing.com; expires=Mon, 09-Jun-2025 17:29:26 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EB54D612D9574CCF81159216F93C48A1 Ref B: LON04EDGE0720 Ref C: 2024-05-15T17:29:26Z
date: Wed, 15 May 2024 17:29:25 GMT
GET

https://www.bing.com/aes/c.gif?RG=20d783b6ea4a4c2fb397afd79a7bac9b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240515T172851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

Remote address:

23.62.61.75:443

Request

GET /aes/c.gif?RG=20d783b6ea4a4c2fb397afd79a7bac9b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240515T172851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=36D29B59A56563C50FB28FD9A4426241

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B1B1DB7577FB440C870A7D54B57B5302 Ref B: BRU30EDGE0816 Ref C: 2024-05-15T17:29:26Z
content-length: 0
date: Wed, 15 May 2024 17:29:26 GMT
set-cookie: _EDGE_S=SID=2957AE03303264E712E6BA83317A654F; path=/; httponly; domain=bing.com
set-cookie: MUIDB=36D29B59A56563C50FB28FD9A4426241; path=/; httponly; expires=Mon, 09-Jun-2025 17:29:26 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.473d3e17.1715794166.7f2ee26
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 27D407DC7EA041699B77F75EE417EFC5 Ref B: LON04EDGE0611 Ref C: 2024-05-15T17:29:27Z
date: Wed, 15 May 2024 17:29:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8E4B2DC3C3504E208961667332683402 Ref B: LON04EDGE0611 Ref C: 2024-05-15T17:29:27Z
date: Wed, 15 May 2024 17:29:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1BBEA88ECD084F12BFEF4B28E5778B5C Ref B: LON04EDGE0611 Ref C: 2024-05-15T17:29:27Z
date: Wed, 15 May 2024 17:29:26 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 25D730D1AB8B4789BF10DAE15AEEEE77 Ref B: LON04EDGE0611 Ref C: 2024-05-15T17:29:27Z
date: Wed, 15 May 2024 17:29:26 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.75:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=36D29B59A56563C50FB28FD9A4426241; _EDGE_S=SID=2957AE03303264E712E6BA83317A654F; MSPTC=JB0zdMxrqBlV5jTmreupjPbLE3QJWxdUZuLVxa1D5T8; MUIDB=36D29B59A56563C50FB28FD9A4426241
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 15 May 2024 17:29:27 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.473d3e17.1715794167.7f2ef92
DNS

75.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.61.62.23.in-addr.arpa

IN PTR

Response

75.61.62.23.in-addr.arpa

IN PTR

a23-62-61-75deploystaticakamaitechnologiescom
DNS

63.141.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.141.182.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8z3UcYspxWRxGCb4I_McjRjVUCUwGjqDckN_05D-QpT9jXTgIeUbW3oBr3BQ3VKzWXEhgDHXtIGuX4dWX0WZL43o25iFLy3-4LMeT7L7oY3-nbd-WQgLquUaFc_F_-39A10ljVMVH8kGikauJhbd6MjjQyQL78dvyuyyFFNPk516BKP53%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc0d46288a21b1c4c4ef704b3ca5cb400&TIME=20240515T172851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8z3UcYspxWRxGCb4I_McjRjVUCUwGjqDckN_05D-QpT9jXTgIeUbW3oBr3BQ3VKzWXEhgDHXtIGuX4dWX0WZL43o25iFLy3-4LMeT7L7oY3-nbd-WQgLquUaFc_F_-39A10ljVMVH8kGikauJhbd6MjjQyQL78dvyuyyFFNPk516BKP53%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc0d46288a21b1c4c4ef704b3ca5cb400&TIME=20240515T172851Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8z3UcYspxWRxGCb4I_McjRjVUCUwGjqDckN_05D-QpT9jXTgIeUbW3oBr3BQ3VKzWXEhgDHXtIGuX4dWX0WZL43o25iFLy3-4LMeT7L7oY3-nbd-WQgLquUaFc_F_-39A10ljVMVH8kGikauJhbd6MjjQyQL78dvyuyyFFNPk516BKP53%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc0d46288a21b1c4c4ef704b3ca5cb400&TIME=20240515T172851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204
23.62.61.75:443

https://www.bing.com/aes/c.gif?RG=20d783b6ea4a4c2fb397afd79a7bac9b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240515T172851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=20d783b6ea4a4c2fb397afd79a7bac9b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240515T172851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

97.4kB
2.8MB
2029
2027

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
23.62.61.75:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

srv.desk-top-app.info

dns

befbfefdfd.exe

67 B
146 B
1
1

DNS Request

srv.desk-top-app.info
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

142.53.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

142.53.16.96.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

75.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.61.62.23.in-addr.arpa
8.8.8.8:53

63.141.182.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

63.141.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81715794069.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715794069.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715794069.txt

Filesize
58B

MD5
f8e2f71e123c5a848f2a83d2a7aef11e

SHA1
5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

SHA256
79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

SHA512
8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\befbfefdfd.exe

Filesize
469KB

MD5
554d81d88b401cb3cd6d586020603c42

SHA1
9c3eafab8404400083b1230b3311107fcacf547f

SHA256
b934d5e2794d403ec536bfdf9c0eefb6900f7703f7691941e075affdda1d7733

SHA512
c40378c68bcba73b065138b50b0dd3895aa67f09fe377f4bc275580bce716edd2245d9f4762e2b5248cbadc1fe4c248379cb54dbc0e85cf9c6cd0df167c85da8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.