Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 09:51
Static task
static1
Behavioral task
behavioral1
Sample
e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe
Resource
win7-20240903-en
General
-
Target
e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe
-
Size
1.5MB
-
MD5
6041d81a9d6a5d39ebe4f5d86e14eb50
-
SHA1
3e09e72cd202daa03e1c06172ebeab9b0657429a
-
SHA256
e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090
-
SHA512
b5d2aa718639d181e2c49b1dab66df5581bf03d6c0ecba490eca95637a3f6ec26f69ecbb5a0f9b2de298fb573285ec8c83988999472b77fb6d99ac50f0674637
-
SSDEEP
24576:oAHnh+eWsN3skA4RV1Hom2KXMmHaTgvrclOo3bksnkKxgDS2d5G:vh+ZkldoPK8YaTwKeDSwG
Malware Config
Extracted
nanocore
1.2.2.0
megida.hopto.org:8822
6b8bf536-118c-4c9a-96fa-55d12fbaaa52
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-02-11T09:59:21.529353836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8822
-
default_group
BestInfo
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6b8bf536-118c-4c9a-96fa-55d12fbaaa52
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
megida.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AzSqlExt.url e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3444 set thread context of 3480 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3480 RegAsm.exe 3480 RegAsm.exe 3480 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3480 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3480 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3444 wrote to memory of 3480 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 98 PID 3444 wrote to memory of 3480 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 98 PID 3444 wrote to memory of 3480 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 98 PID 3444 wrote to memory of 3480 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 98 PID 3444 wrote to memory of 3480 3444 e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe 98 PID 3480 wrote to memory of 3532 3480 RegAsm.exe 99 PID 3480 wrote to memory of 3532 3480 RegAsm.exe 99 PID 3480 wrote to memory of 3532 3480 RegAsm.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe"C:\Users\Admin\AppData\Local\Temp\e6e5e2e51946431f4bc226f09366679cd5ca602cc17649929e05d2ec746b9090N.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D9A.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3532
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0E4260D5979E6C5A250F75C896AF6D07; domain=.bing.com; expires=Thu, 13-Nov-2025 09:52:03 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BBF627A9BD4D4DD0AFF045FC4B2A5B77 Ref B: LON601060102023 Ref C: 2024-10-19T09:52:03Z
date: Sat, 19 Oct 2024 09:52:02 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E4260D5979E6C5A250F75C896AF6D07
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=ikxiNdildpHO0gcBWRUoqeLBWP_aeDTyL22foC3WAEI; domain=.bing.com; expires=Thu, 13-Nov-2025 09:52:03 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 22CA84EC530A45289D0E577AA840720F Ref B: LON601060102023 Ref C: 2024-10-19T09:52:03Z
date: Sat, 19 Oct 2024 09:52:02 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E4260D5979E6C5A250F75C896AF6D07; MSPTC=ikxiNdildpHO0gcBWRUoqeLBWP_aeDTyL22foC3WAEI
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0DB64381E63E47EA9092A0D840FE60BD Ref B: LON601060102023 Ref C: 2024-10-19T09:52:03Z
date: Sat, 19 Oct 2024 09:52:02 GMT
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request98.117.19.2.in-addr.arpaIN PTRResponse98.117.19.2.in-addr.arpaIN PTRa2-19-117-98deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN A
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN A
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN A
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 688331
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 34239B6D9DC040C7AC2184A3678CF81A Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
date: Sat, 19 Oct 2024 09:53:37 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 644823
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 580DDB8C4C9244E1AC16C173D43CE1D2 Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
date: Sat, 19 Oct 2024 09:53:37 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 482857
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AEEAC6B9383949F3B61A3CCE03C42C8A Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
date: Sat, 19 Oct 2024 09:53:37 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 457707
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C982848FD15F4412A8C16346E22E960A Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
date: Sat, 19 Oct 2024 09:53:37 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 442929
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BCE8D823E9A741BDAE83FF209773FE2D Ref B: LON601060103054 Ref C: 2024-10-19T09:53:37Z
date: Sat, 19 Oct 2024 09:53:37 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 488443
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EB1105062BEE48508305A2B357B61BE8 Ref B: LON601060103054 Ref C: 2024-10-19T09:53:42Z
date: Sat, 19 Oct 2024 09:53:42 GMT
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN A
-
Remote address:8.8.8.8:53Requestmegida.hopto.orgIN AResponsemegida.hopto.orgIN A0.0.0.0
-
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=tls, http22.0kB 9.3kB 21 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=78c214b801b74695bb07319411bfdea2&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=HTTP Response
204 -
1.2kB 7.3kB 16 13
-
1.2kB 7.3kB 16 13
-
1.2kB 7.3kB 16 13
-
1.2kB 7.3kB 16 13
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2114.2kB 3.3MB 2441 2436
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
74.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
98.117.19.2.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
186 B 78 B 3 1
DNS Request
megida.hopto.org
DNS Request
megida.hopto.org
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
124 B 78 B 2 1
DNS Request
megida.hopto.org
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
124 B 78 B 2 1
DNS Request
megida.hopto.org
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
-
62 B 78 B 1 1
DNS Request
megida.hopto.org
DNS Response
0.0.0.0
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969