Analysis

  • max time kernel
    146s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 15:34 UTC

General

  • Target

    6d6495d193ab5a17f51122e70544f63a6d3099693177880fa2a49067bcc30808.exe

  • Size

    1.3MB

  • MD5

    811993a1ba850a32a77c03e58e936e87

  • SHA1

    8e835db7f40f27e7d7a77f20aeea901e6790bea0

  • SHA256

    6d6495d193ab5a17f51122e70544f63a6d3099693177880fa2a49067bcc30808

  • SHA512

    8af26784d41e08fa793706bf2a305cfefdb1d22758423afab0f0f50247410aa63a94a1de4f5fac5269ea0b613fb5dddf167073b5fa29691c65c24ad4eaebfa17

  • SSDEEP

    24576:+ypxZzyxItnw55ufEGSEK0i08htkUle2M7FI:NpzGSA1dt0QNe2M5

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

mystic

C2

http://5.42.92.211/loghub/master

Signatures

  • Detect Mystic stealer payload 6 IoCs
  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d6495d193ab5a17f51122e70544f63a6d3099693177880fa2a49067bcc30808.exe
    "C:\Users\Admin\AppData\Local\Temp\6d6495d193ab5a17f51122e70544f63a6d3099693177880fa2a49067bcc30808.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7067254.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7067254.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5105024.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5105024.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3709630.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3709630.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7312660.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7312660.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4816
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4410990.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4410990.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:3656
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a0132786.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a0132786.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:804
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                  • Modifies Windows Defender Real-time Protection settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4664
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 556
                  8⤵
                  • Program crash
                  PID:2184
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8123939.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8123939.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2132
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  8⤵
                    PID:884
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 540
                      9⤵
                      • Program crash
                      PID:2060
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 580
                    8⤵
                    • Program crash
                    PID:1220
              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c2812874.exe
                C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c2812874.exe
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:4188
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  7⤵
                    PID:4132
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 552
                    7⤵
                    • Program crash
                    PID:4756
              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9401419.exe
                C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9401419.exe
                5⤵
                • Executes dropped EXE
                PID:1944
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\e8752075.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\e8752075.exe
              4⤵
              • Executes dropped EXE
              PID:2844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 804 -ip 804
        1⤵
          PID:1564
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2132 -ip 2132
          1⤵
            PID:976
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 884 -ip 884
            1⤵
              PID:2792
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4188 -ip 4188
              1⤵
                PID:1356

              Network

              • flag-us
                DNS
                8.8.8.8.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.8.8.8.in-addr.arpa
                IN PTR
                Response
                8.8.8.8.in-addr.arpa
                IN PTR
                dnsgoogle
              • flag-us
                DNS
                0.159.190.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                0.159.190.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                8.3.197.209.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.3.197.209.in-addr.arpa
                IN PTR
                Response
                8.3.197.209.in-addr.arpa
                IN PTR
                vip0x008map2sslhwcdnnet
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                241.154.82.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                241.154.82.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                55.36.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                55.36.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                39.142.81.104.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                39.142.81.104.in-addr.arpa
                IN PTR
                Response
                39.142.81.104.in-addr.arpa
                IN PTR
                a104-81-142-39deploystaticakamaitechnologiescom
              • flag-us
                DNS
                2.136.104.51.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                2.136.104.51.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                54.120.234.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                54.120.234.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                59.128.231.4.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                59.128.231.4.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301587_1CG6G7BFWUOX4CWIT&pid=21.2&w=1080&h=1920&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301587_1CG6G7BFWUOX4CWIT&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 423187
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 6FAC4186A87447FA85B06F222B871A92 Ref B: BRU30EDGE0518 Ref C: 2023-10-12T05:56:54Z
                date: Thu, 12 Oct 2023 05:56:53 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301432_1NLWJ6W2YQQ4KOO33&pid=21.2&w=1080&h=1920&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301432_1NLWJ6W2YQQ4KOO33&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 271802
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 5EB28C0749784E91B786AE4322240AD3 Ref B: BRU30EDGE0518 Ref C: 2023-10-12T05:56:54Z
                date: Thu, 12 Oct 2023 05:56:53 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&w=1920&h=1080&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 506566
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: DF2E11A944404B2890FAF26667AB5F9C Ref B: BRU30EDGE0518 Ref C: 2023-10-12T05:56:54Z
                date: Thu, 12 Oct 2023 05:56:53 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317300999_19LLLSZ7BD69RXYBD&pid=21.2&w=1920&h=1080&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317300999_19LLLSZ7BD69RXYBD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 451409
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 74F6B702D1EC4767ACEF7A7B777BC9E2 Ref B: BRU30EDGE0518 Ref C: 2023-10-12T05:56:54Z
                date: Thu, 12 Oct 2023 05:56:54 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301178_1ZSW6EWWODY9QKCCO&pid=21.2&w=1920&h=1080&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301178_1ZSW6EWWODY9QKCCO&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 191048
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 0F93E526D4564CA6993DAAD8F52E72DA Ref B: BRU30EDGE0518 Ref C: 2023-10-12T05:56:54Z
                date: Thu, 12 Oct 2023 05:56:54 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&w=1080&h=1920&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 481315
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 5741F7F482AA4DA397F039FCF3C23FF6 Ref B: BRU30EDGE0518 Ref C: 2023-10-12T05:56:56Z
                date: Thu, 12 Oct 2023 05:56:56 GMT
              • flag-us
                DNS
                26.165.165.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.165.165.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                200.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                200.197.79.204.in-addr.arpa
                IN PTR
                Response
                200.197.79.204.in-addr.arpa
                IN PTR
                a-0001a-msedgenet
              • flag-ru
                POST
                http://5.42.92.211/loghub/master
                d9401419.exe
                Remote address:
                5.42.92.211:80
                Request
                POST /loghub/master HTTP/1.1
                Content-Type: multipart/form-data; boundary=d1lrmw8yQ5KxkJAzDF73
                Content-Length: 213
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
                Host: 5.42.92.211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Thu, 12 Oct 2023 05:56:55 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 8
                Connection: keep-alive
                X-Frame-Options: DENY
                X-Content-Type-Options: nosniff
                Referrer-Policy: same-origin
              • flag-us
                DNS
                211.92.42.5.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                211.92.42.5.in-addr.arpa
                IN PTR
                Response
                211.92.42.5.in-addr.arpa
                IN PTR
                hosted-by yeezyhostnet
              • flag-us
                DNS
                18.31.95.13.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                18.31.95.13.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                14.227.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                14.227.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                18.173.189.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                18.173.189.20.in-addr.arpa
                IN PTR
                Response
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.3kB
                16
                14
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&w=1080&h=1920&c=4
                tls, http2
                90.2kB
                2.4MB
                1758
                1748

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301587_1CG6G7BFWUOX4CWIT&pid=21.2&w=1080&h=1920&c=4

                HTTP Response

                200

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301432_1NLWJ6W2YQQ4KOO33&pid=21.2&w=1080&h=1920&c=4

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&w=1920&h=1080&c=4

                HTTP Response

                200

                HTTP Response

                200

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317300999_19LLLSZ7BD69RXYBD&pid=21.2&w=1920&h=1080&c=4

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301178_1ZSW6EWWODY9QKCCO&pid=21.2&w=1920&h=1080&c=4

                HTTP Response

                200

                HTTP Response

                200

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&w=1080&h=1920&c=4

                HTTP Response

                200
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.3kB
                16
                14
              • 5.42.92.211:80
                http://5.42.92.211/loghub/master
                http
                d9401419.exe
                752 B
                436 B
                6
                4

                HTTP Request

                POST http://5.42.92.211/loghub/master

                HTTP Response

                200
              • 77.91.124.82:19071
                e8752075.exe
                260 B
                5
              • 77.91.124.82:19071
                AppLaunch.exe
                260 B
                5
              • 77.91.124.82:19071
                e8752075.exe
                260 B
                5
              • 77.91.124.82:19071
                AppLaunch.exe
                260 B
                5
              • 77.91.124.82:19071
                AppLaunch.exe
                260 B
                5
              • 77.91.124.82:19071
                e8752075.exe
                260 B
                5
              • 77.91.124.82:19071
                e8752075.exe
                260 B
                5
              • 77.91.124.82:19071
                AppLaunch.exe
                260 B
                5
              • 8.8.8.8:53
                8.8.8.8.in-addr.arpa
                dns
                66 B
                90 B
                1
                1

                DNS Request

                8.8.8.8.in-addr.arpa

              • 8.8.8.8:53
                0.159.190.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                0.159.190.20.in-addr.arpa

              • 8.8.8.8:53
                8.3.197.209.in-addr.arpa
                dns
                70 B
                111 B
                1
                1

                DNS Request

                8.3.197.209.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                241.154.82.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                241.154.82.20.in-addr.arpa

              • 8.8.8.8:53
                55.36.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                55.36.223.20.in-addr.arpa

              • 8.8.8.8:53
                39.142.81.104.in-addr.arpa
                dns
                72 B
                137 B
                1
                1

                DNS Request

                39.142.81.104.in-addr.arpa

              • 8.8.8.8:53
                2.136.104.51.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                2.136.104.51.in-addr.arpa

              • 8.8.8.8:53
                54.120.234.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                54.120.234.20.in-addr.arpa

              • 8.8.8.8:53
                59.128.231.4.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                59.128.231.4.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              • 8.8.8.8:53
                26.165.165.52.in-addr.arpa
                dns
                72 B
                146 B
                1
                1

                DNS Request

                26.165.165.52.in-addr.arpa

              • 8.8.8.8:53
                200.197.79.204.in-addr.arpa
                dns
                73 B
                106 B
                1
                1

                DNS Request

                200.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                211.92.42.5.in-addr.arpa
                dns
                70 B
                107 B
                1
                1

                DNS Request

                211.92.42.5.in-addr.arpa

              • 8.8.8.8:53
                18.31.95.13.in-addr.arpa
                dns
                70 B
                144 B
                1
                1

                DNS Request

                18.31.95.13.in-addr.arpa

              • 8.8.8.8:53
                14.227.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                14.227.111.52.in-addr.arpa

              • 8.8.8.8:53
                18.173.189.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                18.173.189.20.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7067254.exe

                Filesize

                1.2MB

                MD5

                fa7ef9adce529c3f0caecefe290eb8c6

                SHA1

                f992656134060fac86764395ee0a04219cb37a8b

                SHA256

                924589b7e85ea6cebfb0a54034d5e5a764b37d300d0cbb9380abd88bc0e8e654

                SHA512

                c509b9d2670489b72034fefc8c85c0b7073889a5ddf35a522f7df6206f472226d81e5ba5bcd96abcc8a73c1d573a4f693a53bae345d6f52ed664b37d38c59e7e

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7067254.exe

                Filesize

                1.2MB

                MD5

                fa7ef9adce529c3f0caecefe290eb8c6

                SHA1

                f992656134060fac86764395ee0a04219cb37a8b

                SHA256

                924589b7e85ea6cebfb0a54034d5e5a764b37d300d0cbb9380abd88bc0e8e654

                SHA512

                c509b9d2670489b72034fefc8c85c0b7073889a5ddf35a522f7df6206f472226d81e5ba5bcd96abcc8a73c1d573a4f693a53bae345d6f52ed664b37d38c59e7e

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5105024.exe

                Filesize

                941KB

                MD5

                e6d4867c6677fe948087839e3579cf33

                SHA1

                b4a2a8dbf3eeb5302beb5751f4a12b055f7d220a

                SHA256

                98999fd62ab82fdb7e6157c5bc6983cc09922ef1e9666ca2be2ff96bec18ba11

                SHA512

                fc25484e6ccce25fb8aa2bf3a391326d466e4d82b429cdaed48b184429562adaee498984e61239f1e83c642a2151313169f5492e20516dc57f9306a807efa3dd

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5105024.exe

                Filesize

                941KB

                MD5

                e6d4867c6677fe948087839e3579cf33

                SHA1

                b4a2a8dbf3eeb5302beb5751f4a12b055f7d220a

                SHA256

                98999fd62ab82fdb7e6157c5bc6983cc09922ef1e9666ca2be2ff96bec18ba11

                SHA512

                fc25484e6ccce25fb8aa2bf3a391326d466e4d82b429cdaed48b184429562adaee498984e61239f1e83c642a2151313169f5492e20516dc57f9306a807efa3dd

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\e8752075.exe

                Filesize

                174KB

                MD5

                86cc2fe5a85a92ded1160f77bde663a7

                SHA1

                c554cb86bd56d7174cdf36d1cc433885ad4ae86b

                SHA256

                393fe6cd11d79e7566b449bfb6a7859089ee42fcec5b79da736c04784bc4b1bb

                SHA512

                460e3edc03d52ebd18def1a3358ea251e0adf180829f8d22eeb4927a936aa0d212f6a6d64c7b762f79a0abedece84e82569406242f1097dd1f46b268189a0332

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\e8752075.exe

                Filesize

                174KB

                MD5

                86cc2fe5a85a92ded1160f77bde663a7

                SHA1

                c554cb86bd56d7174cdf36d1cc433885ad4ae86b

                SHA256

                393fe6cd11d79e7566b449bfb6a7859089ee42fcec5b79da736c04784bc4b1bb

                SHA512

                460e3edc03d52ebd18def1a3358ea251e0adf180829f8d22eeb4927a936aa0d212f6a6d64c7b762f79a0abedece84e82569406242f1097dd1f46b268189a0332

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3709630.exe

                Filesize

                784KB

                MD5

                7961af7d246f5c5ca216da83cf5a2e69

                SHA1

                6db0cecc2f461989d8370c6b92c82c815053452a

                SHA256

                14915025bcc373259cbc002a1ecef2b4c2bbcf62175e2ce5b3a781fd9978fe70

                SHA512

                f280e5617fe0b8f94b347893963b6406ecb287122e2bc61b9de5a558a30df73e5d6f87759edf130df4c5f20c88d6ccb2e91269adb7681285618237e07200fa91

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3709630.exe

                Filesize

                784KB

                MD5

                7961af7d246f5c5ca216da83cf5a2e69

                SHA1

                6db0cecc2f461989d8370c6b92c82c815053452a

                SHA256

                14915025bcc373259cbc002a1ecef2b4c2bbcf62175e2ce5b3a781fd9978fe70

                SHA512

                f280e5617fe0b8f94b347893963b6406ecb287122e2bc61b9de5a558a30df73e5d6f87759edf130df4c5f20c88d6ccb2e91269adb7681285618237e07200fa91

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9401419.exe

                Filesize

                140KB

                MD5

                16ae4eb8f72c55fa0814b61abbf0f98d

                SHA1

                04dd1d872c2af5402605b5f985bb4e5444642e20

                SHA256

                9a9a29663bde8673065d43b9c1145aa261f56692a07932cf4f53833e9a43e14a

                SHA512

                36225956473a695fec32cdeeaa1086041b7a6907bbb6310a93c0cfb27f28f484478c567efd575708331972bf03b7ab605a92f15463d5fb9808b2492506e892c5

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9401419.exe

                Filesize

                140KB

                MD5

                16ae4eb8f72c55fa0814b61abbf0f98d

                SHA1

                04dd1d872c2af5402605b5f985bb4e5444642e20

                SHA256

                9a9a29663bde8673065d43b9c1145aa261f56692a07932cf4f53833e9a43e14a

                SHA512

                36225956473a695fec32cdeeaa1086041b7a6907bbb6310a93c0cfb27f28f484478c567efd575708331972bf03b7ab605a92f15463d5fb9808b2492506e892c5

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7312660.exe

                Filesize

                619KB

                MD5

                5b0df18b7ef7a68ef9545dcfd39d1745

                SHA1

                b6e485194d89e7761cc60f3b0d6f7ac433bebbe4

                SHA256

                7f3933311c9c171610b48538a9c7a5f53452ec7f0d555127681055de6e563a84

                SHA512

                beb8a047d4fcc02505b952ea2822317ba7bcb97609951774e66a9aa010c448bee3112f419b6cf7ce2cb69a3056f376a5a8467168c19a8409d2ca410d3c84c72c

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7312660.exe

                Filesize

                619KB

                MD5

                5b0df18b7ef7a68ef9545dcfd39d1745

                SHA1

                b6e485194d89e7761cc60f3b0d6f7ac433bebbe4

                SHA256

                7f3933311c9c171610b48538a9c7a5f53452ec7f0d555127681055de6e563a84

                SHA512

                beb8a047d4fcc02505b952ea2822317ba7bcb97609951774e66a9aa010c448bee3112f419b6cf7ce2cb69a3056f376a5a8467168c19a8409d2ca410d3c84c72c

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c2812874.exe

                Filesize

                398KB

                MD5

                c9ecff9cd05cb6848385d4769ab8e4b0

                SHA1

                56f4507e88c96792ffa18093900df3aad1b41853

                SHA256

                45fe5619b7f93f3684294f2faf50ae73a1a9dbfef4a2524b056d046d4bee893c

                SHA512

                e39777287d5d71c733a33efcb4c673299c4603ce1ed3d290f22a8348319b2c78d439d6257d6b2be6f17506d6bd74c5c05c72ea515062e60f0985610d10317d52

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c2812874.exe

                Filesize

                398KB

                MD5

                c9ecff9cd05cb6848385d4769ab8e4b0

                SHA1

                56f4507e88c96792ffa18093900df3aad1b41853

                SHA256

                45fe5619b7f93f3684294f2faf50ae73a1a9dbfef4a2524b056d046d4bee893c

                SHA512

                e39777287d5d71c733a33efcb4c673299c4603ce1ed3d290f22a8348319b2c78d439d6257d6b2be6f17506d6bd74c5c05c72ea515062e60f0985610d10317d52

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4410990.exe

                Filesize

                348KB

                MD5

                15fb01d874b255d28c9e68df23e670eb

                SHA1

                20ed5344101f105b47f915c560aa4ff7219dba03

                SHA256

                0455410e7b0afe216d84a835842e2c5e47dd4e21434c635300a952b12580bd4b

                SHA512

                55402c89529bd0ea46d7efa4f8290d1abdb7f6953ab561a5858c7dcf0a5f53e3ab8986b4ca6732a954acb19243cb8961b325d4d302c54eeb2eff185e047cdb3c

              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4410990.exe

                Filesize

                348KB

                MD5

                15fb01d874b255d28c9e68df23e670eb

                SHA1

                20ed5344101f105b47f915c560aa4ff7219dba03

                SHA256

                0455410e7b0afe216d84a835842e2c5e47dd4e21434c635300a952b12580bd4b

                SHA512

                55402c89529bd0ea46d7efa4f8290d1abdb7f6953ab561a5858c7dcf0a5f53e3ab8986b4ca6732a954acb19243cb8961b325d4d302c54eeb2eff185e047cdb3c

              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a0132786.exe

                Filesize

                235KB

                MD5

                706abb172114e2ac77fdfe8a8d78c3b2

                SHA1

                4fef2a518042b51d296a69cf38c0a92ba87aa7d6

                SHA256

                80caaf1376335be3979ed28f25ee12668f0eda6b37e99e7c8d1235cd966e47d5

                SHA512

                9326657f9e6637174b825329b97d136e49b0e12f5686d792e14f6859f0d585088e3b89e1dce70e04ba58fc801f19d933b1b8f2c5ec40642c4343707c15889036

              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a0132786.exe

                Filesize

                235KB

                MD5

                706abb172114e2ac77fdfe8a8d78c3b2

                SHA1

                4fef2a518042b51d296a69cf38c0a92ba87aa7d6

                SHA256

                80caaf1376335be3979ed28f25ee12668f0eda6b37e99e7c8d1235cd966e47d5

                SHA512

                9326657f9e6637174b825329b97d136e49b0e12f5686d792e14f6859f0d585088e3b89e1dce70e04ba58fc801f19d933b1b8f2c5ec40642c4343707c15889036

              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8123939.exe

                Filesize

                364KB

                MD5

                beb64f6bfadfe64f598d5b90e1f0e498

                SHA1

                ab206da7d02a0778c8a73ccd530960b2b4d99b6b

                SHA256

                054b561b0a009368b19d05bf03711541f2bc41e37ec67e26db3f508eaa38be5d

                SHA512

                04bee7e66b143f5def5c76d4ed29a91bce6a614322878824e53ace403e48eb641e779ee48bf8cf90c8c66dfa8e469b4ceaaa8014a26b8d0df93b9491eb66f4d7

              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8123939.exe

                Filesize

                364KB

                MD5

                beb64f6bfadfe64f598d5b90e1f0e498

                SHA1

                ab206da7d02a0778c8a73ccd530960b2b4d99b6b

                SHA256

                054b561b0a009368b19d05bf03711541f2bc41e37ec67e26db3f508eaa38be5d

                SHA512

                04bee7e66b143f5def5c76d4ed29a91bce6a614322878824e53ace403e48eb641e779ee48bf8cf90c8c66dfa8e469b4ceaaa8014a26b8d0df93b9491eb66f4d7

              • memory/884-48-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/884-49-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/884-50-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/884-52-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/2844-79-0x0000000073D20000-0x00000000744D0000-memory.dmp

                Filesize

                7.7MB

              • memory/2844-77-0x00000000055C0000-0x00000000055D0000-memory.dmp

                Filesize

                64KB

              • memory/2844-75-0x0000000073D20000-0x00000000744D0000-memory.dmp

                Filesize

                7.7MB

              • memory/2844-76-0x0000000002D70000-0x0000000002D76000-memory.dmp

                Filesize

                24KB

              • memory/2844-80-0x00000000055C0000-0x00000000055D0000-memory.dmp

                Filesize

                64KB

              • memory/2844-74-0x0000000000B70000-0x0000000000BA0000-memory.dmp

                Filesize

                192KB

              • memory/4132-57-0x0000000073D20000-0x00000000744D0000-memory.dmp

                Filesize

                7.7MB

              • memory/4132-73-0x00000000050E0000-0x000000000512C000-memory.dmp

                Filesize

                304KB

              • memory/4132-68-0x0000000004D70000-0x0000000004D80000-memory.dmp

                Filesize

                64KB

              • memory/4132-67-0x0000000004F00000-0x0000000004F12000-memory.dmp

                Filesize

                72KB

              • memory/4132-69-0x0000000004F60000-0x0000000004F9C000-memory.dmp

                Filesize

                240KB

              • memory/4132-56-0x0000000000400000-0x0000000000430000-memory.dmp

                Filesize

                192KB

              • memory/4132-65-0x00000000054E0000-0x0000000005AF8000-memory.dmp

                Filesize

                6.1MB

              • memory/4132-66-0x0000000004FD0000-0x00000000050DA000-memory.dmp

                Filesize

                1.0MB

              • memory/4132-78-0x0000000004D70000-0x0000000004D80000-memory.dmp

                Filesize

                64KB

              • memory/4132-61-0x0000000073D20000-0x00000000744D0000-memory.dmp

                Filesize

                7.7MB

              • memory/4132-58-0x0000000000D30000-0x0000000000D36000-memory.dmp

                Filesize

                24KB

              • memory/4664-60-0x0000000073D20000-0x00000000744D0000-memory.dmp

                Filesize

                7.7MB

              • memory/4664-43-0x0000000073D20000-0x00000000744D0000-memory.dmp

                Filesize

                7.7MB

              • memory/4664-42-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

              • memory/4664-47-0x0000000073D20000-0x00000000744D0000-memory.dmp

                Filesize

                7.7MB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.