Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 17:14

General

  • Target

    1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

  • Size

    775KB

  • MD5

    0b486fe0503524cfe4726a4022fa6a68

  • SHA1

    297dea71d489768ce45d23b0f8a45424b469ab00

  • SHA256

    1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

  • SHA512

    f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

  • SSDEEP

    24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\2HNaR_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEDddcAdBA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1Zd05pS0JGUWhCVnlLZzhqcHEvYTFHZTBDODZBbVVuemk2RFRjM2F6bGNlUUF6YzBYWHNNL1VmMUFNRVpNMGJHeGpocHl1ZXhVK0dYYUgvcVUwTzlVV0xOZU9kWnM4Y2xWRnhoOHBpM2w4dXlhNzhRMTczMjJpbm4zZkpKMTZkSFl4a2E0N2hnTFNBYkRqM3ptREI2MU9MTHgvNmFQbC9CWXBUdU5iVDZsbUppdEhkNCtEVnpKUnpzTnBZNHprV003b1Zod1JITGhybEQ1V0hUaWdtV1kyajkwWDg5UWQ4ZDB1NTRyaW11b2pvUlFCR2h1UWNxNk1zZ0RFOHBvczFySm5nS09leEIxNXcxVmNzN0I0NGVGLzFqRjhhRGtRQ0NvTGJvV0ZHUDNjVklCQzQ0U2NUQ0txWjhRVVk3eW90dThoRDdBNTBaakVZYWR0aVlyaWJ4RlFDVGMwcytiZ2o2R3BNU2VhWi9QdjlpR0NtSGIxc2ZOUCs3UDZzR1ZMc0VOZnRYNjBOd1pEby9RYk4yQnRuQW5ITmk0Ti9DNHFwMk1kbTRtRVdBaER3d3RnekM1Q3VSVTQyV1BQZzljU1duNUcvMWsySUFDZ0VzNVdUTzExdmVzZzZSN2xqekZua08zUDVIclIwVmNLcVJHaHU2YzBxQkVzS1lYdEFwQlZvVCtlWEdhdC92WCtyNSt3UnhrTjBwN3dCVFBVYThZbkx1cjhqa2puNlpqVng4N3JOTnJtZ1NXdytFV2p5SWVML1YyTFkrcDVyMDE5L1ZnejhvemdlUmtxMHdMWXVvTG5JMmdXdE9BcW1pbXhGSkVYY3RnaWdNWTVhSE1lVThVby9IWnVXa2JWS0ROVTh1WlAwNzR0bUV3enZUVTk0aitlbWhGaHc2dlc2UDc0NTFrZ2FWYUI2Z0hFaDBKWmVrZGRsdlFxeDNVeGk0NDNKcXpnODFUQXRHa3FmUEFzTjVHTTZGVldacVBZSVFSMVdQa1hFN0xqejBlTmtTeXNDc1pvT3p0NDZZUXVHekpHbjFOSWpNNllMTzNsekdWWDNDVFhPR0NRLzIzSi9MaVo3MWUxaHZEakNXZXN6bGJaa1I0S0NJWVhzczRDUi92bDlmT1pRakdhMHVObm1FRWhoK0RtZUtGUUxWRy9pZEwwWEFPakUxczVTQUVwaHI3eXh2bFJydGNjUUhXa2hTM1ZyTTdwWHZ3L2N3V0pHbXp2bHNHT0cxcGhmam9VLzRIb1ptTnVEam90SmUrOURBMlFvSmJ2cGl3UmJSdjZXd3Q1Z2ZFYkNlOGE5V0s4cmJyMzJDcUZobER2WGdLUmJFb1RCQXlzKzhqSlNMNnhJWnhRSFNhbkVnVHMrM3NzMkhFQjRmVXVNSW1DZzRjTnBpeHc0QTQrS2orZUp6dnpMZFBCVmIwQk1qclU5RTNKT2UvZW13Z1JaSGo4L2dRbTV2ZTZESmpPc3NvbXRadG9DNUJ6MzdENW4rMjd2WUsvcEJWWEl6clpOalpPdzFEQVpCRDVhMnpUTm1ZQnlUY0VHQTlHZlJRdzJKd0t5WU1pMWo5RlRpSnJzQ3NTL3lFWmJkSHNWK3ZrRndHYWpCeGJqbEhxdHVJK215ZVFOeTlQQ3RrYStsRFc4Zm5ZdUlpTkV5RVl0YVUwc2hRZnc2SlVGWmtiM1BmVU1Ea0dzQmk0akFKN2pIVVJWQjBTY3d0eEc5dzJnbGcwS3JSTnBKeU9TSkt1UVFMRDQ1cWpLdWFPNzV2YU93eFdwT2o3bnVLRjkwTXNiWEsxaDlyeGRlWjg3dlN2aVFrTDlzQlFJZjBaOEJDeVpWUTYxU0JzY0lSQlVBTnJOSStsQXlyMmRGZ3JqQTQ1eGpWcXI1M0NlTWhLRUZubXZHR1BqME1iM1R6bFNYNmNWT3NFSnV2QzRyYjYxQnFOMUljNjB0TGoxekM3YlZCdFVJRmJqTjlIem9teEJNNTlxdXJIUmhjQ1Z2Q0FyOXl5cExrblk3dldqQnBTVnc0ekVUa3ZUSlJVZkhkb1ZlUmJHUFJCSE1DWTdSbko3Nzl2L2RZV2dxM0lwblp5cFNxOHFUS3J0U3J3a2hiaG5mbHA3ZVZmTzBSRGx1L0huWWtZK0k0YUttOC91bUovV01PREFVd2lDY3llWVNldz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * PtzR7Ys
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\2HNaR_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEDddcAdBA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1Zd05pS0JGUWhCVnlLZzhqcHEvYTFHZTBDODZBbVVuemk2RFRjM2F6bGNlUUF6YzBYWHNNL1VmMUFNRVpNMGJHeGpocHl1ZXhVK0dYYUgvcVUwTzlVV0xOZU9kWnM4Y2xWRnhoOHBpM2w4dXlhNzhRMTczMjJpbm4zZkpKMTZkSFl4a2E0N2hnTFNBYkRqM3ptREI2MU9MTHgvNmFQbC9CWXBUdU5iVDZsbUppdEhkNCtEVnpKUnpzTnBZNHprV003b1Zod1JITGhybEQ1V0hUaWdtV1kyajkwWDg5UWQ4ZDB1NTRyaW11b2pvUlFCR2h1UWNxNk1zZ0RFOHBvczFySm5nS09leEIxNXcxVmNzN0I0NGVGLzFqRjhhRGtRQ0NvTGJvV0ZHUDNjVklCQzQ0U2NUQ0txWjhRVVk3eW90dThoRDdBNTBaakVZYWR0aVlyaWJ4RlFDVGMwcytiZ2o2R3BNU2VhWi9QdjlpR0NtSGIxc2ZOUCs3UDZzR1ZMc0VOZnRYNjBOd1pEby9RYk4yQnRuQW5ITmk0Ti9DNHFwMk1kbTRtRVdBaER3d3RnekM1Q3VSVTQyV1BQZzljU1duNUcvMWsySUFDZ0VzNVdUTzExdmVzZzZSN2xqekZua08zUDVIclIwVmNLcVJHaHU2YzBxQkVzS1lYdEFwQlZvVCtlWEdhdC92WCtyNSt3UnhrTjBwN3dCVFBVYThZbkx1cjhqa2puNlpqVng4N3JOTnJtZ1NXdytFV2p5SWVML1YyTFkrcDVyMDE5L1ZnejhvemdlUmtxMHdMWXVvTG5JMmdXdE9BcW1pbXhGSkVYY3RnaWdNWTVhSE1lVThVby9IWnVXa2JWS0ROVTh1WlAwNzR0bUV3enZUVTk0aitlbWhGaHc2dlc2UDc0NTFrZ2FWYUI2Z0hFaDBKWmVrZGRsdlFxeDNVeGk0NDNKcXpnODFUQXRHa3FmUEFzTjVHTTZGVldacVBZSVFSMVdQa1hFN0xqejBlTmtTeXNDc1pvT3p0NDZZUXVHekpHbjFOSWpNNllMTzNsekdWWDNDVFhPR0NRLzIzSi9MaVo3MWUxaHZEakNXZXN6bGJaa1I0S0NJWVhzczRDUi92bDlmT1pRakdhMHVObm1FRWhoK0RtZUtGUUxWRy9pZEwwWEFPakUxczVTQUVwaHI3eXh2bFJydGNjUUhXa2hTM1ZyTTdwWHZ3L2N3V0pHbXp2bHNHT0cxcGhmam9VLzRIb1ptTnVEam90SmUrOURBMlFvSmJ2cGl3UmJSdjZXd3Q1Z2ZFYkNlOGE5V0s4cmJyMzJDcUZobER2WGdLUmJFb1RCQXlzKzhqSlNMNnhJWnhRSFNhbkVnVHMrM3NzMkhFQjRmVXVNSW1DZzRjTnBpeHc0QTQrS2orZUp6dnpMZFBCVmIwQk1qclU5RTNKT2UvZW13Z1JaSGo4L2dRbTV2ZTZESmpPc3NvbXRadG9DNUJ6MzdENW4rMjd2WUsvcEJWWEl6clpOalpPdzFEQVpCRDVhMnpUTm1ZQnlUY0VHQTlHZlJRdzJKd0t5WU1pMWo5RlRpSnJzQ3NTL3lFWmJkSHNWK3ZrRndHYWpCeGJqbEhxdHVJK215ZVFOeTlQQ3RrYStsRFc4Zm5ZdUlpTkV5RVl0YVUwc2hRZnc2SlVGWmtiM1BmVU1Ea0dzQmk0akFKN2pIVVJWQjBTY3d0eEc5dzJnbGcwS3JSTnBKeU9TSkt1UVFMRDQ1cWpLdWFPNzV2YU93eFdwT2o3bnVLRjkwTXNiWEsxaDlyeGRlWjg3dlN2aVFrTDlzQlFJZjBaOEJDeVpWUTYxU0JzY0lSQlVBTnJOSStsQXlyMmRGZ3JqQTQ1eGpWcXI1M0NlTWhLRUZubXZHR1BqME1iM1R6bFNYNmNWT3NFSnV2QzRyYjYxQnFOMUljNjB0TGoxekM3YlZCdFVJRmJqTjlIem9teEJNNTlxdXJIUmhjQ1Z2Q0FyOXl5cExrblk3dldqQnBTVnc0ekVUa3ZUSlJVZkhkb1ZlUmJHUFJCSE1DWTdSbko3Nzl2L2RZV2dxM0lwblp5cFNxOHFUS3J0U3J3a2hiaG5mbHA3ZVZmTzBSRGx1L0huWWtZK0k0YUttOC91bUovV01PREFVd2lDY3llWVNldz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * l16o7Ys
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (132) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
    "C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1692
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3152
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2772
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:576
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:4532
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:3416
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:3184
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1456
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4908

    Network

    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      72.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      2.0.127.10.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.0.127.10.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.143.123.92.in-addr.arpa
      IN PTR
      Response
      240.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      3.0.127.10.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      3.0.127.10.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 658519
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0326C66E1E8B4569A58E3D1C7EA6AA25 Ref B: LON04EDGE0614 Ref C: 2024-07-24T17:16:30Z
      date: Wed, 24 Jul 2024 17:16:29 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388098_106XX0NZPAHGUY7Q1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388098_106XX0NZPAHGUY7Q1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 830618
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E6A7D3A21F50482494573C547BB9CB35 Ref B: LON04EDGE0614 Ref C: 2024-07-24T17:16:30Z
      date: Wed, 24 Jul 2024 17:16:29 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 580155
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 3840C3F8295D47A8ADD8D1611B4820CB Ref B: LON04EDGE0614 Ref C: 2024-07-24T17:16:30Z
      date: Wed, 24 Jul 2024 17:16:29 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 527355
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 29B0198EB5B142FB928836812F11FC4F Ref B: LON04EDGE0614 Ref C: 2024-07-24T17:16:30Z
      date: Wed, 24 Jul 2024 17:16:29 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388097_1IIZAECWS2U02B4A4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388097_1IIZAECWS2U02B4A4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 719294
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 9A5B211E4E2A4C95B13DB0EC1C1E1FEC Ref B: LON04EDGE0614 Ref C: 2024-07-24T17:16:30Z
      date: Wed, 24 Jul 2024 17:16:29 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 540101
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B47DC6543D7D459B9E9688D0E2DFD2BA Ref B: LON04EDGE0614 Ref C: 2024-07-24T17:16:30Z
      date: Wed, 24 Jul 2024 17:16:30 GMT
    • flag-us
      DNS
      10.27.171.150.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.27.171.150.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      4.0.127.10.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.0.127.10.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      5.0.127.10.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      5.0.127.10.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      7.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      7.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 10.127.0.1:445
      260 B
      5
    • 10.127.0.1:139
      260 B
      5
    • 10.127.0.2:445
      260 B
      5
    • 10.127.0.2:139
      260 B
      5
    • 10.127.0.3:445
      260 B
      5
    • 10.127.0.3:139
      260 B
      5
    • 10.127.0.4:445
      260 B
      5
    • 10.127.0.4:139
      260 B
      5
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.8kB
      15
      12
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      138.3kB
      4.0MB
      2898
      2894

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301217_1LGEUWZHPMKMEMITB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388098_106XX0NZPAHGUY7Q1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388097_1IIZAECWS2U02B4A4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301626_12UQHHQXE25HHMLCY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 10.127.0.5:445
      260 B
      5
    • 10.127.0.5:139
      260 B
      5
    • 10.127.0.6:445
      208 B
      4
    • 10.127.0.6:139
      208 B
      4
    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      146 B
      147 B
      2
      1

      DNS Request

      149.220.183.52.in-addr.arpa

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      72.32.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      72.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      2.0.127.10.in-addr.arpa
      dns
      69 B
      69 B
      1
      1

      DNS Request

      2.0.127.10.in-addr.arpa

    • 8.8.8.8:53
      240.143.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      240.143.123.92.in-addr.arpa

    • 8.8.8.8:53
      3.0.127.10.in-addr.arpa
      dns
      69 B
      69 B
      1
      1

      DNS Request

      3.0.127.10.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      170 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      10.27.171.150.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      10.27.171.150.in-addr.arpa

    • 8.8.8.8:53
      4.0.127.10.in-addr.arpa
      dns
      69 B
      69 B
      1
      1

      DNS Request

      4.0.127.10.in-addr.arpa

    • 8.8.8.8:53
      5.0.127.10.in-addr.arpa
      dns
      69 B
      69 B
      1
      1

      DNS Request

      5.0.127.10.in-addr.arpa

    • 8.8.8.8:53
      7.173.189.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      7.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

      Filesize

      775KB

      MD5

      0b486fe0503524cfe4726a4022fa6a68

      SHA1

      297dea71d489768ce45d23b0f8a45424b469ab00

      SHA256

      1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

      SHA512

      f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

    • C:\Users\Admin\Desktop\2HNaR_readme_.txt

      Filesize

      3KB

      MD5

      687a5c6a8b7c443152297e35450eafc0

      SHA1

      f409eeae37c40a9106c051ed949070c0a27d85a0

      SHA256

      2ca5b4c8c250215276adbb6c6b4b8fa5f96804ade7d4f5bc74e68169ee30c80b

      SHA512

      deed6a4dd7b3da87e61d44cc8e0a15d9457e1bf4034d09799afef62b9237769749a2a09c552c8dec309d86224e27b791f8c47f97a8eeba7adeadd0f1cdad8d33

    • C:\Users\Admin\Documents\2HNaR_readme_.txt

      Filesize

      3KB

      MD5

      ce0fce2bd0f39be2aecd0e061de52086

      SHA1

      cc0ca385fc1cbcfccf891b3c88181da0ced108b7

      SHA256

      e724c3a282dd966abd8c8fc3d08e283ca10addeb544d221c3797c7bdfd51a605

      SHA512

      8fd99e047bb5748a750c6a5286945441b6b1a951c104d64a8870007651660a9a747d04b2044869196282910dc6fcac502a78d6a99f6540d06520e4a40e0513e6

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.