d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 02:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
Size

1.1MB
MD5

8e651777e0bc60e6ac0c50482ff7e4fa
SHA1

a0cb7b8577d95ddd1a520804109674d3fab696a0
SHA256

d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c
SHA512

d125e9903d65199cebaa7efe61159f1aeaf329baeb6395638556b3bd68577817677d4067d3da097d4ddc51789fe437a67838e4fe2f5d6d664ece5535d43ccb0d
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4772	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4772	svchcst.exe
2924	svchcst.exe
4780	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
4772	svchcst.exe
4772	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3896	3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	87
PID 3592 wrote to memory of 3896	3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	87
PID 3592 wrote to memory of 3896	3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	87
PID 3592 wrote to memory of 984	3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	88
PID 3592 wrote to memory of 984	3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	88
PID 3592 wrote to memory of 984	3592	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	88
PID 3896 wrote to memory of 4772	3896	WScript.exe	95
PID 3896 wrote to memory of 4772	3896	WScript.exe	95
PID 3896 wrote to memory of 4772	3896	WScript.exe	95
PID 4772 wrote to memory of 3872	4772	svchcst.exe	96
PID 4772 wrote to memory of 3872	4772	svchcst.exe	96
PID 4772 wrote to memory of 3872	4772	svchcst.exe	96
PID 4772 wrote to memory of 1744	4772	svchcst.exe	97
PID 4772 wrote to memory of 1744	4772	svchcst.exe	97
PID 4772 wrote to memory of 1744	4772	svchcst.exe	97
PID 1744 wrote to memory of 2924	1744	WScript.exe	100
PID 1744 wrote to memory of 2924	1744	WScript.exe	100
PID 1744 wrote to memory of 2924	1744	WScript.exe	100
PID 3872 wrote to memory of 4780	3872	WScript.exe	101
PID 3872 wrote to memory of 4780	3872	WScript.exe	101
PID 3872 wrote to memory of 4780	3872	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
"C:\Users\Admin\AppData\Local\Temp\d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4780
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:984

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 495209
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DB974CCE96934BD9867BAB82384C45CE Ref B: LON04EDGE0718 Ref C: 2024-07-22T02:49:10Z
date: Mon, 22 Jul 2024 02:49:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 944920
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8E27C4F8F6BC460C9D5C9AD606B04C66 Ref B: LON04EDGE0718 Ref C: 2024-07-22T02:49:10Z
date: Mon, 22 Jul 2024 02:49:10 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2DB03773387969111DA723B7395E68EB; domain=.bing.com; expires=Sat, 16-Aug-2025 02:49:10 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A66ABCCD6F0D4E04BE6CB00AFFB99AF0 Ref B: LON04EDGE0715 Ref C: 2024-07-22T02:49:10Z
date: Mon, 22 Jul 2024 02:49:10 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2DB03773387969111DA723B7395E68EB

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=h__apRNpfY-UmZTtJw8tWB0hVs_Rtvn8zZRDkvWwk4k; domain=.bing.com; expires=Sat, 16-Aug-2025 02:49:10 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A9BB43D8BBD644978028BC98A24E6E16 Ref B: LON04EDGE0715 Ref C: 2024-07-22T02:49:10Z
date: Mon, 22 Jul 2024 02:49:10 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2DB03773387969111DA723B7395E68EB; MSPTC=h__apRNpfY-UmZTtJw8tWB0hVs_Rtvn8zZRDkvWwk4k

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10D4A7BCD33D45BCAF6C0E546FE04B67 Ref B: LON04EDGE0715 Ref C: 2024-07-22T02:49:10Z
date: Mon, 22 Jul 2024 02:49:10 GMT
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301469_1CI9E0AG3RDYG5DMG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301469_1CI9E0AG3RDYG5DMG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 325315
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 430494909D2D4F8EB8815CB2295EAEB6 Ref B: LON04EDGE0910 Ref C: 2024-07-22T02:50:45Z
date: Mon, 22 Jul 2024 02:50:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301036_1G9CB801VBJIYBSI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301036_1G9CB801VBJIYBSI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 570218
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 41841CC348FC46F2BEBD70706D5CDBFB Ref B: LON04EDGE0910 Ref C: 2024-07-22T02:50:45Z
date: Mon, 22 Jul 2024 02:50:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 347802
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 018201CA2E7E4866BADA426ED0B1C9F1 Ref B: LON04EDGE0910 Ref C: 2024-07-22T02:50:45Z
date: Mon, 22 Jul 2024 02:50:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388094_13CVUFFEVHOS666S0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388094_13CVUFFEVHOS666S0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 443603
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 05B0F316C7F644D5AE5B574BB04A116C Ref B: LON04EDGE0910 Ref C: 2024-07-22T02:50:45Z
date: Mon, 22 Jul 2024 02:50:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388093_1MGPNJH4UKSBANRNK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388093_1MGPNJH4UKSBANRNK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 561325
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 89967FCEFDF64A568AA6B026D7DAB470 Ref B: LON04EDGE0910 Ref C: 2024-07-22T02:50:45Z
date: Mon, 22 Jul 2024 02:50:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 473521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6145628CC17A40649443242040C7BDBF Ref B: LON04EDGE0910 Ref C: 2024-07-22T02:50:45Z
date: Mon, 22 Jul 2024 02:50:45 GMT
DNS

209.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.143.182.52.in-addr.arpa

IN PTR

Response

150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

53.3kB
1.5MB
1097
1093

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

tls, http2

2.0kB
9.3kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

HTTP Response

204
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

98.8kB
2.8MB
2060
2056

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301469_1CI9E0AG3RDYG5DMG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301036_1G9CB801VBJIYBSI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388094_13CVUFFEVHOS666S0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388093_1MGPNJH4UKSBANRNK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

209.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

209.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
215cc4e126dc8b2b199d791c1bed45ef

SHA1
d9f60623562cc8e56fe2daead6b0148d76ff5702

SHA256
9fb7c865c8d19712eaf6d7717867f94d06406b12d0e690230285e39ecd52d8a2

SHA512
b4c5335e7c7387bc38b767079c254508bc3561c4d00530cc42ecfad001a3f24aaf3cee983624df3f472303b2d743663c7c569d35e8c714cefa9b024f032495be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
090737c9d0f7693741f7644d2772f181

SHA1
90b920e8e8b000c3a590b5f01379f5071e8d1e2b

SHA256
864b31878d39a0955fd40899e18f48851858e420cfaf59c8151497e2c02e6c7b

SHA512
7bc89bace6feaa5de0cc36c153aef0163b96a2c9841a86a5f910029a08dec58651f75c0a6550155eb39b4ac6c637f4deabc61dab53f626a4a99c51e5409358f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c0d26b212bb2d235f911425860c2a202

SHA1
0b7c02594103436025ef0c933ac50b93eed83bc5

SHA256
14935d6391e2f4c1072df4b981afd14a4b9b81619f6d7dff056ce87ec6a961c4

SHA512
8aefa6dd8e5669c850e53b62a4d663571630b19b6a35a303c27cf009781e674a525abee411dfd7a7c023cccff039db459383834736d07a26d14658b29450a9b0

Download Submit
memory/3592-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.