Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 09:51

General

  • Target

    e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe

  • Size

    1.5MB

  • MD5

    6041d81a9d6a5d39ebe4f5d86e14eb50

  • SHA1

    3e09e72cd202daa03e1c06172ebeab9b0657429a

  • SHA256

    e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090

  • SHA512

    b5d2aa718639d181e2c49b1dab66df5581bf03d6c0ecba490eca95637a3f6ec26f69ecbb5a0f9b2de298fb573285ec8c83988999472b77fb6d99ac50f0674637

  • SSDEEP

    24576:oAHnh+eWsN3skA4RV1Hom2KXMmHaTgvrclOo3bksnkKxgDS2d5G:vh+ZkldoPK8YaTwKeDSwG

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

megida.hopto.org:8822

Mutex

6b8bf536-118c-4c9a-96fa-55d12fbaaa52

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-02-11T09:59:21.529353836Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    8822

  • default_group

    BestInfo

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    6b8bf536-118c-4c9a-96fa-55d12fbaaa52

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    megida.hopto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Drops startup file 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe
    "C:\Users\Admin\AppData\Local\Temp\e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "PCI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D9A.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3532

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0E4260D5979E6C5A250F75C896AF6D07; domain=.bing.com; expires=Thu, 13-Nov-2025 09:52:03 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BBF627A9BD4D4DD0AFF045FC4B2A5B77 Ref B: LON601060102023 Ref C: 2024-10-19T09:52:03Z
    date: Sat, 19 Oct 2024 09:52:02 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0E4260D5979E6C5A250F75C896AF6D07
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=ikxiNdildpHO0gcBWRUoqeLBWP_aeDTyL22foC3WAEI; domain=.bing.com; expires=Thu, 13-Nov-2025 09:52:03 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 22CA84EC530A45289D0E577AA840720F Ref B: LON601060102023 Ref C: 2024-10-19T09:52:03Z
    date: Sat, 19 Oct 2024 09:52:02 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0E4260D5979E6C5A250F75C896AF6D07; MSPTC=ikxiNdildpHO0gcBWRUoqeLBWP_aeDTyL22foC3WAEI
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0DB64381E63E47EA9092A0D840FE60BD Ref B: LON601060102023 Ref C: 2024-10-19T09:52:03Z
    date: Sat, 19 Oct 2024 09:52:02 GMT
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 688331
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 34239B6D9DC040C7AC2184A3678CF81A Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
    date: Sat, 19 Oct 2024 09:53:37 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 644823
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 580DDB8C4C9244E1AC16C173D43CE1D2 Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
    date: Sat, 19 Oct 2024 09:53:37 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 482857
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AEEAC6B9383949F3B61A3CCE03C42C8A Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
    date: Sat, 19 Oct 2024 09:53:37 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 457707
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C982848FD15F4412A8C16346E22E960A Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
    date: Sat, 19 Oct 2024 09:53:37 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 442929
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BCE8D823E9A741BDAE83FF209773FE2D Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
    date: Sat, 19 Oct 2024 09:53:37 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 488443
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EB1105062BEE48508305A2B357B61BE8 Ref B: LON601060103054 Ref C: 2024-10-19T09:53:42Z
    date: Sat, 19 Oct 2024 09:53:42 GMT
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
  • flag-us
    DNS
    megida.hopto.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    megida.hopto.org
    IN A
    Response
    megida.hopto.org
    IN A
    0.0.0.0
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=
    tls, http2
    2.0kB
    9.3kB
    21
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

    HTTP Response

    204
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    114.2kB
    3.3MB
    2441
    2436

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    186 B
    78 B
    3
    1

    DNS Request

    megida.hopto.org

    DNS Request

    megida.hopto.org

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    124 B
    78 B
    2
    1

    DNS Request

    megida.hopto.org

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    124 B
    78 B
    2
    1

    DNS Request

    megida.hopto.org

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    megida.hopto.org
    dns
    RegAsm.exe
    62 B
    78 B
    1
    1

    DNS Request

    megida.hopto.org

    DNS Response

    0.0.0.0

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6D9A.tmp

    Filesize

    1KB

    MD5

    c6f0625bf4c1cdfb699980c9243d3b22

    SHA1

    43de1fe580576935516327f17b5da0c656c72851

    SHA256

    8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

    SHA512

    9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

  • memory/3444-0-0x0000000004E10000-0x0000000004E11000-memory.dmp

    Filesize

    4KB

  • memory/3480-2-0x0000000000700000-0x0000000000738000-memory.dmp

    Filesize

    224KB

  • memory/3480-6-0x00000000735E2000-0x00000000735E3000-memory.dmp

    Filesize

    4KB

  • memory/3480-7-0x00000000735E0000-0x0000000073B91000-memory.dmp

    Filesize

    5.7MB

  • memory/3480-8-0x00000000735E0000-0x0000000073B91000-memory.dmp

    Filesize

    5.7MB

  • memory/3480-17-0x00000000735E2000-0x00000000735E3000-memory.dmp

    Filesize

    4KB

  • memory/3480-18-0x00000000735E0000-0x0000000073B91000-memory.dmp

    Filesize

    5.7MB

  • memory/3480-19-0x00000000735E0000-0x0000000073B91000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.