Analysis

  • max time kernel
    138s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 18:37

General

  • Target

    0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521.exe

  • Size

    247KB

  • MD5

    851269fc86de5d91e5f2db1b2b34cb6e

  • SHA1

    6103dab45c98bddef65b6eed235a60159d458526

  • SHA256

    0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

  • SHA512

    c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc

  • SSDEEP

    6144:/bwmPMVWrVbVPwF9kfK8rpClz0KBb6o589GHWHWujiSPbp:/bw8n5gBuj/PV

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

zedtklncvg

Attributes
  • delay

    1

  • install

    true

  • install_file

    update.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/f2T8NYnM

aes.plain
1
x4oGkJpeWREYzOWoViETXvuZNe0pe9Gi

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521.exe
    "C:\Users\Admin\AppData\Local\Temp\0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5032
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC237.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3840
      • C:\Users\Admin\AppData\Roaming\update.exe
        "C:\Users\Admin\AppData\Roaming\update.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2964

Network

  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    pastebin.com
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
    pastebin.com
    IN A
    104.20.3.235
  • flag-us
    DNS
    pastebin.com
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:37:49 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 5
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b330ef24cf0948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:38:13 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 29
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b330f858fa3948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:38:22 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 38
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b330fc12de3948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:38:35 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 51
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b331011a819948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:38:55 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 71
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b33108f680e948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:39:07 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 83
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b3310d4fd0c948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:39:12 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 88
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b3310f6dafa948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:39:17 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 93
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b331118cdbc948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:39:23 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 99
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b33113dca4d948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:39:36 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 112
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b33118e5b8f948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:39:43 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 119
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b3311b84a42948a-LHR
  • flag-us
    GET
    https://pastebin.com/raw/f2T8NYnM
    update.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/f2T8NYnM HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 200 OK
    Date: Wed, 14 Aug 2024 18:39:49 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 125
    Last-Modified: Wed, 14 Aug 2024 18:37:44 GMT
    Server: cloudflare
    CF-RAY: 8b3311dce9ae948a-LHR
  • flag-us
    DNS
    235.4.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.4.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    235.4.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.4.20.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.124.67.191
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 458468
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AA2FEAEA7F8B434A999528346087A0EB Ref B: LON04EDGE1019 Ref C: 2024-08-14T18:38:22Z
    date: Wed, 14 Aug 2024 18:38:22 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301551_1UO3JMUZBU5945BZN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301551_1UO3JMUZBU5945BZN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 482418
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 85490A11605142A58047AA236848D486 Ref B: LON04EDGE1019 Ref C: 2024-08-14T18:38:22Z
    date: Wed, 14 Aug 2024 18:38:22 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 509035
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8699E95C21C54A4585BE8F547877F24F Ref B: LON04EDGE1019 Ref C: 2024-08-14T18:38:22Z
    date: Wed, 14 Aug 2024 18:38:22 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 554838
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2EEF0CE024494AC08976795385ED0102 Ref B: LON04EDGE1019 Ref C: 2024-08-14T18:38:22Z
    date: Wed, 14 Aug 2024 18:38:22 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301142_11TUY2FDIIUV7WQCS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301142_11TUY2FDIIUV7WQCS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 747785
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0942D7FAEE414C2EBB0E0F08AB0D22D2 Ref B: LON04EDGE1019 Ref C: 2024-08-14T18:38:22Z
    date: Wed, 14 Aug 2024 18:38:22 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.142.123.92.in-addr.arpa
    IN PTR
    Response
    147.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-147deploystaticakamaitechnologiescom
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.125.188.168
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    update.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
  • 104.20.4.235:443
    https://pastebin.com/raw/f2T8NYnM
    tls, http
    update.exe
    4.1kB
    12.4kB
    47
    35

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200

    HTTP Request

    GET https://pastebin.com/raw/f2T8NYnM

    HTTP Response

    200
  • 3.124.67.191:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    80 B
    5
    2
  • 3.124.67.191:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    160 B
    5
    4
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    93.0kB
    2.7MB
    1936
    1937

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301551_1UO3JMUZBU5945BZN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301142_11TUY2FDIIUV7WQCS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    7.4kB
    17
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 3.124.67.191:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    160 B
    5
    4
  • 3.124.67.191:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    160 B
    5
    4
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    160 B
    5
    4
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    200 B
    5
    5
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    200 B
    5
    5
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    200 B
    5
    5
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    160 B
    5
    4
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    200 B
    5
    5
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    160 B
    5
    4
  • 3.125.188.168:18957
    7.tcp.eu.ngrok.io
    update.exe
    260 B
    120 B
    5
    3
  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    update.exe
    232 B
    106 B
    4
    1

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Response

    104.20.4.235
    172.67.19.24
    104.20.3.235

  • 8.8.8.8:53
    235.4.20.104.in-addr.arpa
    dns
    142 B
    133 B
    2
    1

    DNS Request

    235.4.20.104.in-addr.arpa

    DNS Request

    235.4.20.104.in-addr.arpa

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    update.exe
    126 B
    79 B
    2
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.124.67.191

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    216 B
    146 B
    3
    1

    DNS Request

    26.165.165.52.in-addr.arpa

    DNS Request

    26.165.165.52.in-addr.arpa

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    147.142.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    147.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    update.exe
    189 B
    79 B
    3
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.125.188.168

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    19.229.111.52.in-addr.arpa

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC237.tmp.bat

    Filesize

    150B

    MD5

    54d83af960599434f88dbb887aec7c4e

    SHA1

    ce0696c1fe57b4b74693d32df83a86570ebaa7e6

    SHA256

    15f62ec22ff884b5a3c9873b39208dcbd555ed1adf4d5e4acea75ce9dc240017

    SHA512

    eaa4060c25cbd25c8e9450bb7164b40d9015322b0d61ca354c852d27e1389948ee3a0ec578611107ef7f71e665353591de0f020d3f03b16015a3b447f82e5760

  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

  • C:\Users\Admin\AppData\Roaming\update.exe

    Filesize

    247KB

    MD5

    851269fc86de5d91e5f2db1b2b34cb6e

    SHA1

    6103dab45c98bddef65b6eed235a60159d458526

    SHA256

    0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

    SHA512

    c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc

  • memory/1536-0-0x0000000000F00000-0x0000000000F44000-memory.dmp

    Filesize

    272KB

  • memory/1536-1-0x00007FF8D3F43000-0x00007FF8D3F45000-memory.dmp

    Filesize

    8KB

  • memory/1536-3-0x00007FF8D3F40000-0x00007FF8D4A01000-memory.dmp

    Filesize

    10.8MB

  • memory/1536-8-0x00007FF8D3F40000-0x00007FF8D4A01000-memory.dmp

    Filesize

    10.8MB

  • memory/1536-9-0x00007FF8D3F40000-0x00007FF8D4A01000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.