Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 10:46

General

  • Target

    793cab4421c321b969ce88f22d90752c_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    793cab4421c321b969ce88f22d90752c

  • SHA1

    55b461d66391147bf8f7c0179f7a0b2abed6d9b5

  • SHA256

    b780a8572b59d2eeb633fd896cc4982508aacee23bce257396a80e7ea29b2bc3

  • SHA512

    b02df864c6ec4c7ebede94b3bf31b66b5332f3e8b4ece9600a2b282dec06885965279adbf36b8e08d590cfcb5aeb0e113a273eb4476c5fc86e321c4cb73e4075

  • SSDEEP

    24576:eaHMv6CorjqnyC8flDAgjk6GECzbMpJgCUwJvfoIfaAl3Ein+ozerISUfE:e1vqjdC8tD5jk6/wbMTgCUaoIfaKb+ok

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

testcybergate.zapto.org:3014

Mutex

DC_MUTEX-F48XL4B

Attributes
  • gencode

    EWr2RqlAQCdR

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

testcybergate.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\793cab4421c321b969ce88f22d90752c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\793cab4421c321b969ce88f22d90752c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\uncrypted.exe
      "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1292

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=000C33247B676C5E119326027AF86DC5; domain=.bing.com; expires=Sat, 22-Nov-2025 10:54:10 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 81C4AA2CD27F4F83BD1450492B3AA94C Ref B: LON601060104040 Ref C: 2024-10-28T10:54:10Z
    date: Mon, 28 Oct 2024 10:54:10 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=000C33247B676C5E119326027AF86DC5
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=52Yy7-FcTCAd1kJDJeQgUYQSf9YiY2mEI2ff6m83rvQ; domain=.bing.com; expires=Sat, 22-Nov-2025 10:54:10 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 833DC1CFD1D549C3891B18DA024B17DD Ref B: LON601060104040 Ref C: 2024-10-28T10:54:10Z
    date: Mon, 28 Oct 2024 10:54:10 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=000C33247B676C5E119326027AF86DC5; MSPTC=52Yy7-FcTCAd1kJDJeQgUYQSf9YiY2mEI2ff6m83rvQ
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 03FFABF887484EFC9E05F4C7A98E21E4 Ref B: LON601060104040 Ref C: 2024-10-28T10:54:10Z
    date: Mon, 28 Oct 2024 10:54:10 GMT
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388040_17NRQFHMSVZES5QDT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388040_17NRQFHMSVZES5QDT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 540045
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BC3CDF8F97484DB59F2CAF864AAE5970 Ref B: LON601060102029 Ref C: 2024-10-28T10:55:48Z
    date: Mon, 28 Oct 2024 10:55:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388041_1G4A2C01B1PAFTOD1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388041_1G4A2C01B1PAFTOD1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 694302
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7D9C2217C42140C3B91DD98A61E26100 Ref B: LON601060102029 Ref C: 2024-10-28T10:55:48Z
    date: Mon, 28 Oct 2024 10:55:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 576636
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5AD1A604244541DD85B3669DE9569CEA Ref B: LON601060102029 Ref C: 2024-10-28T10:55:48Z
    date: Mon, 28 Oct 2024 10:55:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 561868
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 633B0A983A984F199511354BF5C2E4DA Ref B: LON601060102029 Ref C: 2024-10-28T10:55:48Z
    date: Mon, 28 Oct 2024 10:55:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 405350
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8EE6C2C8E7D04DD9A1C808DE3307645F Ref B: LON601060102029 Ref C: 2024-10-28T10:55:48Z
    date: Mon, 28 Oct 2024 10:55:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 512342
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 26A32965F89641CBB04C6C461E034B0C Ref B: LON601060102029 Ref C: 2024-10-28T10:55:48Z
    date: Mon, 28 Oct 2024 10:55:47 GMT
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • flag-us
    DNS
    testcybergate.zapto.org
    uncrypted.exe
    Remote address:
    8.8.8.8:53
    Request
    testcybergate.zapto.org
    IN A
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    tls, http2
    2.0kB
    9.4kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3704809a15c84960987ca04a198f2e8c&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    116.5kB
    3.4MB
    2473
    2469

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388040_17NRQFHMSVZES5QDT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388041_1G4A2C01B1PAFTOD1&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    12
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    129 B
    2
    1

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    69 B
    129 B
    1
    1

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

  • 8.8.8.8:53
    testcybergate.zapto.org
    dns
    uncrypted.exe
    138 B
    258 B
    2
    2

    DNS Request

    testcybergate.zapto.org

    DNS Request

    testcybergate.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\autB3DF.tmp

    Filesize

    659KB

    MD5

    92499f0ef985be878a6373743b77d6a2

    SHA1

    c60aa4820aa41f9f6dafef25e4ad9f8d010c88f9

    SHA256

    a53ecd5d2893a6325776ea9135b2532f1f68ceca6dae90db8de531b883b1571a

    SHA512

    27e3fe6a6bfc43c4e4f1c64570e5beebc773cb6cd9b043e8ccef4c57821bda6fa560d2abe34326ab1563ecedace0d02c1d1c3676f18f35bfa47df5df05b98b7e

  • C:\Users\Admin\AppData\Local\Temp\uncrypted.exe

    Filesize

    659KB

    MD5

    c798c640896c00fc6bb839cdd3810e24

    SHA1

    8a386de287c0d1bf3e3c322e1957eb9055a0aedb

    SHA256

    31be1a973731be787d2d717e36a1447eaf2a6d81eade0e0a77329f0692d3e699

    SHA512

    10e40c9b6dd2d37fef6df7c0b43ecfc39f49f9b28e2c25d0df1aa1c38b8311d1897db7b0de36a9c2b95ea8f2901e66607b2fa1527f330d6499ff7d34463d8729

  • memory/1292-25-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-28-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-21-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-22-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

  • memory/1292-23-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-24-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-35-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-26-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-27-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-20-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

  • memory/1292-29-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-30-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-31-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-32-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-33-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1292-34-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1620-0-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.