tofsee | 941505a64b1fcc4e333393495c8ded041b8371066fafa86d79ec47921ef041a9

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 04:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe
Size

11.5MB
MD5

161433181357a754f4fe059aa805a288
SHA1

9a21c5e0175cf721c9819a0dabe8cb1708871ab3
SHA256

941505a64b1fcc4e333393495c8ded041b8371066fafa86d79ec47921ef041a9
SHA512

c07d30c9ff5e0293e21a46c44e1e08811685f523f0c900bdac5d9c9b6d361056f95c2b250ee5af79ecca126013a559dd7e312adcb99d8396c4f67b6d646e881b
SSDEEP

6144:92MDRs+9skCSisUPOdxJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJb:92y6eCSioT

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1852	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\isxghqmd\ImagePath = "C:\\Windows\\SysWOW64\\isxghqmd\\nluveapl.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe

Deletes itself 1 IoCs

pid	Process
3660	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
5664	nluveapl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5664 set thread context of 3660	5664	nluveapl.exe	101

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4348	sc.exe
5244	sc.exe
5644	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2016	3784	WerFault.exe	84
2632	5664	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nluveapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 4872	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	88
PID 3784 wrote to memory of 4872	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	88
PID 3784 wrote to memory of 4872	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	88
PID 3784 wrote to memory of 968	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	90
PID 3784 wrote to memory of 968	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	90
PID 3784 wrote to memory of 968	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	90
PID 3784 wrote to memory of 4348	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	92
PID 3784 wrote to memory of 4348	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	92
PID 3784 wrote to memory of 4348	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	92
PID 3784 wrote to memory of 5244	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	94
PID 3784 wrote to memory of 5244	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	94
PID 3784 wrote to memory of 5244	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	94
PID 3784 wrote to memory of 5644	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	96
PID 3784 wrote to memory of 5644	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	96
PID 3784 wrote to memory of 5644	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	96
PID 5664 wrote to memory of 3660	5664	nluveapl.exe	101
PID 5664 wrote to memory of 3660	5664	nluveapl.exe	101
PID 5664 wrote to memory of 3660	5664	nluveapl.exe	101
PID 5664 wrote to memory of 3660	5664	nluveapl.exe	101
PID 5664 wrote to memory of 3660	5664	nluveapl.exe	101
PID 3784 wrote to memory of 1852	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	104
PID 3784 wrote to memory of 1852	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	104
PID 3784 wrote to memory of 1852	3784	2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\isxghqmd\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nluveapl.exe" C:\Windows\SysWOW64\isxghqmd\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:968
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create isxghqmd binPath= "C:\Windows\SysWOW64\isxghqmd\nluveapl.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4348
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description isxghqmd "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:5244
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start isxghqmd
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:5644
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1192
  2⤵
  - Program crash
  PID:2016

C:\Windows\SysWOW64\isxghqmd\nluveapl.exe
C:\Windows\SysWOW64\isxghqmd\nluveapl.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-04-04_161433181357a754f4fe059aa805a288_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 512
  2⤵
  - Program crash
  PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5664 -ip 5664
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3784 -ip 3784
1⤵
PID:5460

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1CC451A6338C6A6B2479446232AB6B09; domain=.bing.com; expires=Wed, 29-Apr-2026 04:56:53 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 71A786A3062143BB86B8F3E4D2FE2176 Ref B: LON04EDGE0712 Ref C: 2025-04-04T04:56:53Z
date: Fri, 04 Apr 2025 04:56:53 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1CC451A6338C6A6B2479446232AB6B09

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=BKA2iDcFRryUCI7tqjH3B9SQ49TZLwh3bcioycn5Sq4; domain=.bing.com; expires=Wed, 29-Apr-2026 04:56:53 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0019D08D27DA4C68A5E3C2D80C0F5AE5 Ref B: LON04EDGE0712 Ref C: 2025-04-04T04:56:53Z
date: Fri, 04 Apr 2025 04:56:53 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1CC451A6338C6A6B2479446232AB6B09; MSPTC=BKA2iDcFRryUCI7tqjH3B9SQ49TZLwh3bcioycn5Sq4

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CD362F7999E44047A25F06663FE81A98 Ref B: LON04EDGE0712 Ref C: 2025-04-04T04:56:53Z
date: Fri, 04 Apr 2025 04:56:53 GMT
DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN A

Response

microsoft.com

IN A

13.107.246.59
DNS

microsoft.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft.com

IN MX

Response

microsoft.com

IN MX

microsoft-commail protectionoutlook�
DNS

microsoft-com.mail.protection.outlook.com

svchost.exe

Remote address:

8.8.8.8:53

Request

microsoft-com.mail.protection.outlook.com

IN A

Response

microsoft-com.mail.protection.outlook.com

IN A

52.101.8.49

microsoft-com.mail.protection.outlook.com

IN A

52.101.40.26

microsoft-com.mail.protection.outlook.com

IN A

52.101.42.0

microsoft-com.mail.protection.outlook.com

IN A

52.101.11.0
DNS

yahoo.com

svchost.exe

Remote address:

8.8.8.8:53

Request

yahoo.com

IN MX

Response

yahoo.com

IN MX

mta5am0yahoodnsnet

yahoo.com

IN MX

mta6�.

yahoo.com

IN MX

mta7�.
DNS

mta5.am0.yahoodns.net

svchost.exe

Remote address:

8.8.8.8:53

Request

mta5.am0.yahoodns.net

IN A

Response

mta5.am0.yahoodns.net

IN A

98.136.96.75

mta5.am0.yahoodns.net

IN A

67.195.228.111

mta5.am0.yahoodns.net

IN A

98.136.96.74

mta5.am0.yahoodns.net

IN A

67.195.204.72

mta5.am0.yahoodns.net

IN A

67.195.204.73

mta5.am0.yahoodns.net

IN A

67.195.204.74

mta5.am0.yahoodns.net

IN A

98.136.96.76

mta5.am0.yahoodns.net

IN A

67.195.228.106
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388156_1Z2O2J8YHL5HTDB24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388156_1Z2O2J8YHL5HTDB24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 641224
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C376095F9A474DC7918D262FE10ECF23 Ref B: LON04EDGE1222 Ref C: 2025-04-04T04:57:27Z
date: Fri, 04 Apr 2025 04:57:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239353388073_1SY37RLMEXBSAP5P1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239353388073_1SY37RLMEXBSAP5P1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 616456
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 154155301FF14FEFB8D048960241C756 Ref B: LON04EDGE1222 Ref C: 2025-04-04T04:57:27Z
date: Fri, 04 Apr 2025 04:57:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388119_10QYQ7X0D3WF71UDP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388119_10QYQ7X0D3WF71UDP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 624243
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 42C947A1F63C43FD84F849442E3A3978 Ref B: LON04EDGE1222 Ref C: 2025-04-04T04:57:27Z
date: Fri, 04 Apr 2025 04:57:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388155_1D0BH5IJGCW4E5I58&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388155_1D0BH5IJGCW4E5I58&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 697659
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0FDDD562EA8F4CAF8AC9239164B662A6 Ref B: LON04EDGE1222 Ref C: 2025-04-04T04:57:27Z
date: Fri, 04 Apr 2025 04:57:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239353388079_1I03GNWN380ZGL8MJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239353388079_1I03GNWN380ZGL8MJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 745212
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D414FD2023C5465AA485C9F86B8D3D0A Ref B: LON04EDGE1222 Ref C: 2025-04-04T04:57:27Z
date: Fri, 04 Apr 2025 04:57:27 GMT
DNS

google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

google.com

IN MX

Response

google.com

IN MX

smtp�
DNS

smtp.google.com

svchost.exe

Remote address:

8.8.8.8:53

Request

smtp.google.com

IN A

Response

smtp.google.com

IN A

74.125.71.26

smtp.google.com

IN A

74.125.71.27

smtp.google.com

IN A

108.177.15.27

smtp.google.com

IN A

108.177.15.26

smtp.google.com

IN A

173.194.76.27
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.187.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 993
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 04 Apr 2025 04:51:24 GMT
Expires: Fri, 04 Apr 2025 05:41:24 GMT
Cache-Control: public, max-age=3000
Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
Age: 390
DNS

mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mail.ru

IN MX

Response

mail.ru

IN MX

mxs�
DNS

mxs.mail.ru

svchost.exe

Remote address:

8.8.8.8:53

Request

mxs.mail.ru

IN A

Response

mxs.mail.ru

IN A

94.100.180.31

mxs.mail.ru

IN A

217.69.139.150

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid=

tls, http2

2.0kB
9.3kB
21
17

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c4e7ec94212d4c5da48a550cfd0be91f&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6825849398674208&anid=

HTTP Response

204
13.107.246.59:80

microsoft.com

svchost.exe

190 B
92 B
4
2
52.101.8.49:25

microsoft-com.mail.protection.outlook.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
98.136.96.75:25

mta5.am0.yahoodns.net

svchost.exe

260 B
5
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.6kB
7.0kB
21
14
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.6kB
7.0kB
21
14
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.6kB
7.0kB
21
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239353388079_1I03GNWN380ZGL8MJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

118.0kB
3.5MB
2526
2517

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388156_1Z2O2J8YHL5HTDB24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239353388073_1SY37RLMEXBSAP5P1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388119_10QYQ7X0D3WF71UDP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388155_1D0BH5IJGCW4E5I58&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239353388079_1I03GNWN380ZGL8MJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.6kB
7.0kB
21
14
74.125.71.26:25

smtp.google.com

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5
142.250.187.227:80

http://c.pki.goog/r/r1.crl

http

476 B
1.9kB
6
5

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
94.100.180.31:25

mxs.mail.ru

svchost.exe

260 B
5
43.231.4.7:443

svchost.exe

260 B
5

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
75 B
1
1

DNS Request

microsoft.com

DNS Response

13.107.246.59
8.8.8.8:53

microsoft.com

dns

svchost.exe

59 B
113 B
1
1

DNS Request

microsoft.com
8.8.8.8:53

microsoft-com.mail.protection.outlook.com

dns

svchost.exe

87 B
151 B
1
1

DNS Request

microsoft-com.mail.protection.outlook.com

DNS Response

52.101.8.49

52.101.40.26

52.101.42.0

52.101.11.0
8.8.8.8:53

yahoo.com

dns

svchost.exe

55 B
134 B
1
1

DNS Request

yahoo.com
8.8.8.8:53

mta5.am0.yahoodns.net

dns

svchost.exe

67 B
195 B
1
1

DNS Request

mta5.am0.yahoodns.net

DNS Response

98.136.96.75

67.195.228.111

98.136.96.74

67.195.204.72

67.195.204.73

67.195.204.74

98.136.96.76

67.195.228.106
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

google.com

dns

svchost.exe

56 B
77 B
1
1

DNS Request

google.com
8.8.8.8:53

smtp.google.com

dns

svchost.exe

61 B
141 B
1
1

DNS Request

smtp.google.com

DNS Response

74.125.71.26

74.125.71.27

108.177.15.27

108.177.15.26

173.194.76.27
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227
8.8.8.8:53

mail.ru

dns

svchost.exe

53 B
73 B
1
1

DNS Request

mail.ru
8.8.8.8:53

mxs.mail.ru

dns

svchost.exe

57 B
89 B
1
1

DNS Request

mxs.mail.ru

DNS Response

94.100.180.31

217.69.139.150

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nluveapl.exe

Filesize
14.9MB

MD5
3bd0fec5fa9a4edb63631bbc44c5cdf0

SHA1
26b61e3b447b530207edc7a685707f4919d0c5c4

SHA256
4de0ad29002605c855712b2447a95eb381043ee39a2ba87b99aab79b21274626

SHA512
fee3a0350693ca04f44a4ee52f6a86832dddda002eaa1bd076b3a86e7ad2342568b0fb14b8d97566470b3183d1bda1167ca14eb50f87d043894f14ea72ba5638

Download Submit
memory/3660-8-0x0000000000920000-0x0000000000935000-memory.dmp

Filesize
84KB

Download
memory/3660-14-0x0000000000920000-0x0000000000935000-memory.dmp

Filesize
84KB

Download
memory/3660-15-0x0000000000920000-0x0000000000935000-memory.dmp

Filesize
84KB

Download
memory/3784-1-0x0000000006E30000-0x0000000006F30000-memory.dmp

Filesize
1024KB

Download
memory/3784-2-0x0000000006DC0000-0x0000000006DD3000-memory.dmp

Filesize
76KB

Download
memory/3784-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3784-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3784-11-0x0000000006DC0000-0x0000000006DD3000-memory.dmp

Filesize
76KB

Download
memory/3784-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5664-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.