Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 13:19 UTC

General

  • Target

    9ee4059d1c9ae9597e4623aa54eac9af.exe

  • Size

    1.3MB

  • MD5

    9ee4059d1c9ae9597e4623aa54eac9af

  • SHA1

    a6a8f547cfb9c2eaa21651cd90ec17b7b6065c80

  • SHA256

    c6eaebad13292d911cf4aa9b576d4f6d56ee7132ff1d425eae109de557f9152f

  • SHA512

    71ece6adf20fdb553981a0b5880f3abcfdf8c6a94049eec800a215e543834a95d31082e3dc8f93cc1f387298a02282c7c83f04ce356bf55b63dafc2830179033

  • SSDEEP

    24576:gQOJ5rL4avAzWXNVCQG4QWaTli9cNSFlIjpjpKj1RjVb2bUj8Kr0vG:2dLR3VFmJidFlQNKBLAo8K

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe
    "C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe
      C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2964

Network

  • flag-us
    DNS
    zipansion.com
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    104.21.73.114
    zipansion.com
    IN A
    172.67.144.180
  • flag-us
    GET
    http://zipansion.com/2pRLi
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    Remote address:
    104.21.73.114:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 23 Dec 2023 17:59:11 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=fp0nqjs87jrgskpihoshtfi7vn; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-36721UNEG/2pRLi?rndad=1502943035-1703354351
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ofqtDbHq3N%2BbMK6T%2BikPrpfqEPRQDMh7oroAd08mrRA2PNBaR0ffplUEylLnP%2B3hMWIogMta3zwvh2CQIkTn5c6uJy0KrUs3f5L1vHmM02lvogW5ze9QhuXIHoWJtExd"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 83a27f360ff26349-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yxeepsek.net
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    104.21.20.204
    yxeepsek.net
    IN A
    172.67.194.101
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    http://yxeepsek.net/-36721UNEG/2pRLi?rndad=1502943035-1703354351
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    Remote address:
    104.21.20.204:80
    Request
    GET /-36721UNEG/2pRLi?rndad=1502943035-1703354351 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Host: yxeepsek.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Date: Sat, 23 Dec 2023 17:59:11 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=6o4ehmpeggehdnhjhv8iqobvnk; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=s3hcJ9zc8R%2B%2BI1EWdMubNsHWw0mjaykmBqhFas0mVbO%2BjclyDDANG895PjJWu0s%2FNh37Smoj2Qg6ruMQvVsXXO6C6Euz99LMVd6MqfJFDRZBYthuylmuYCy5yNfSBXA%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 83a27f381ca56371-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    Remote address:
    104.21.20.204:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Host: yxeepsek.net
    Connection: Keep-Alive
    Cookie: FLYSESSID=6o4ehmpeggehdnhjhv8iqobvnk
    Response
    HTTP/1.1 200 OK
    Date: Sat, 23 Dec 2023 17:59:11 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VqsC2KJtBLhwdzuP0gp5Fglj8czTBB1NK%2Fgm2q9VUVZXfx7z%2FJsu%2F30MA2ht5xvjXk8EQOVXcYGzl%2F5LVAiJCDJ%2Fmwstg6%2B6DKeXWWucoQGltmrItk%2BZj1gB6k1OUKk%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 83a27f39aed66371-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=01DC44F5741F6EAE3F10570575FF6F1A; domain=.bing.com; expires=Thu, 16-Jan-2025 17:59:12 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D0A5B85CC3B949BB92EDC17A7B8EE504 Ref B: LON04EDGE1213 Ref C: 2023-12-23T17:59:12Z
    date: Sat, 23 Dec 2023 17:59:12 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=01DC44F5741F6EAE3F10570575FF6F1A
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=qAT9kShUB9l0J0np2hhlIZBpr_GzgW3W6YCkcbbCe1k; domain=.bing.com; expires=Thu, 16-Jan-2025 17:59:12 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: ABE47DDA2A004845AFF5DF16160B3FCC Ref B: LON04EDGE1213 Ref C: 2023-12-23T17:59:12Z
    date: Sat, 23 Dec 2023 17:59:12 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=01DC44F5741F6EAE3F10570575FF6F1A; MSPTC=qAT9kShUB9l0J0np2hhlIZBpr_GzgW3W6YCkcbbCe1k
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5353ACA1DEEF47DB96D517B1436A6842 Ref B: LON04EDGE1213 Ref C: 2023-12-23T17:59:12Z
    date: Sat, 23 Dec 2023 17:59:12 GMT
  • flag-us
    DNS
    114.73.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.73.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    114.73.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.73.21.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    204.20.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    204.20.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    204.20.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    204.20.21.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.171.91.138.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.171.91.138.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.5.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.5.17.2.in-addr.arpa
    IN PTR
    Response
    100.5.17.2.in-addr.arpa
    IN PTR
    a2-17-5-100deploystaticakamaitechnologiescom
  • flag-us
    DNS
    100.5.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.5.17.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    100.5.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.5.17.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    176.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.178.17.96.in-addr.arpa
    IN PTR
    Response
    176.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-176deploystaticakamaitechnologiescom
  • flag-us
    DNS
    176.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.178.17.96.in-addr.arpa
    IN PTR
    Response
    176.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-176deploystaticakamaitechnologiescom
  • flag-us
    DNS
    211.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.135.221.88.in-addr.arpa
    IN PTR
    Response
    211.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-211deploystaticakamaitechnologiescom
  • flag-us
    DNS
    211.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.135.221.88.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 142516
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D11066E8925D4C6CBD61CADECF872011 Ref B: LON04EDGE0622 Ref C: 2023-12-23T18:00:53Z
    date: Sat, 23 Dec 2023 18:00:53 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301228_1ZEB78VKDYZSTECLD&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301228_1ZEB78VKDYZSTECLD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 391930
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9ED3009112594D0584A0AEBA1A56AB52 Ref B: LON04EDGE0622 Ref C: 2023-12-23T18:00:53Z
    date: Sat, 23 Dec 2023 18:00:53 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 130982
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 72E0907710154FC384D701F23B194702 Ref B: LON04EDGE0622 Ref C: 2023-12-23T18:00:53Z
    date: Sat, 23 Dec 2023 18:00:53 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301637_1U8S4PA5ZCO5KZ9RL&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301637_1U8S4PA5ZCO5KZ9RL&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 334178
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 421ADE9161214783A74C0DDFC896BFA5 Ref B: LON04EDGE0622 Ref C: 2023-12-23T18:00:55Z
    date: Sat, 23 Dec 2023 18:00:55 GMT
  • flag-us
    DNS
    32.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    32.134.221.88.in-addr.arpa
    IN PTR
    Response
    32.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-32deploystaticakamaitechnologiescom
  • flag-us
    DNS
    32.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    32.134.221.88.in-addr.arpa
    IN PTR
    Response
    32.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-32deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    174.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.178.17.96.in-addr.arpa
    IN PTR
    Response
    174.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-174deploystaticakamaitechnologiescom
  • flag-us
    DNS
    174.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.178.17.96.in-addr.arpa
    IN PTR
    Response
    174.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-174deploystaticakamaitechnologiescom
  • flag-us
    DNS
    168.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.117.168.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    168.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.117.168.52.in-addr.arpa
    IN PTR
    Response
  • 104.21.73.114:80
    http://zipansion.com/2pRLi
    http
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    483 B
    1.1kB
    7
    4

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    301
  • 20.231.121.79:80
    156 B
    3
  • 104.21.20.204:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    972 B
    3.2kB
    11
    8

    HTTP Request

    GET http://yxeepsek.net/-36721UNEG/2pRLi?rndad=1502943035-1703354351

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
    tls, http2
    2.4kB
    9.4kB
    23
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a9070216c2394c8fbdde1bbf5bc51f1a&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=

    HTTP Response

    204
  • 88.221.135.211:80
  • 88.221.135.211:80
  • 88.221.135.211:80
  • 88.221.135.211:80
  • 88.221.135.211:80
  • 88.221.135.211:80
  • 88.221.135.211:80
  • 88.221.135.211:80
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
    8.3kB
    20
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.7kB
    8.3kB
    20
    13
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301637_1U8S4PA5ZCO5KZ9RL&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    40.1kB
    1.0MB
    771
    765

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301228_1ZEB78VKDYZSTECLD&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301637_1U8S4PA5ZCO5KZ9RL&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 8.8.8.8:53
    zipansion.com
    dns
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    59 B
    91 B
    1
    1

    DNS Request

    zipansion.com

    DNS Response

    104.21.73.114
    172.67.144.180

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    0.181.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    yxeepsek.net
    dns
    9ee4059d1c9ae9597e4623aa54eac9af.exe
    58 B
    90 B
    1
    1

    DNS Request

    yxeepsek.net

    DNS Response

    104.21.20.204
    172.67.194.101

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    158 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    114.73.21.104.in-addr.arpa
    dns
    144 B
    134 B
    2
    1

    DNS Request

    114.73.21.104.in-addr.arpa

    DNS Request

    114.73.21.104.in-addr.arpa

  • 8.8.8.8:53
    204.20.21.104.in-addr.arpa
    dns
    144 B
    134 B
    2
    1

    DNS Request

    204.20.21.104.in-addr.arpa

    DNS Request

    204.20.21.104.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    140 B
    156 B
    2
    1

    DNS Request

    9.228.82.20.in-addr.arpa

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    88.156.103.20.in-addr.arpa

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    146 B
    147 B
    2
    1

    DNS Request

    158.240.127.40.in-addr.arpa

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    142 B
    145 B
    2
    1

    DNS Request

    206.23.85.13.in-addr.arpa

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    81.171.91.138.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    81.171.91.138.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    100.5.17.2.in-addr.arpa
    dns
    207 B
    131 B
    3
    1

    DNS Request

    100.5.17.2.in-addr.arpa

    DNS Request

    100.5.17.2.in-addr.arpa

    DNS Request

    100.5.17.2.in-addr.arpa

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    146 B
    278 B
    2
    2

    DNS Request

    217.135.221.88.in-addr.arpa

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    176.178.17.96.in-addr.arpa
    dns
    144 B
    274 B
    2
    2

    DNS Request

    176.178.17.96.in-addr.arpa

    DNS Request

    176.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    211.135.221.88.in-addr.arpa
    dns
    146 B
    139 B
    2
    1

    DNS Request

    211.135.221.88.in-addr.arpa

    DNS Request

    211.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    79.121.231.20.in-addr.arpa

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    142 B
    116 B
    2
    1

    DNS Request

    0.204.248.87.in-addr.arpa

    DNS Request

    0.204.248.87.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    186 B
    173 B
    3
    1

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    32.134.221.88.in-addr.arpa
    dns
    144 B
    274 B
    2
    2

    DNS Request

    32.134.221.88.in-addr.arpa

    DNS Request

    32.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    142 B
    232 B
    2
    2

    DNS Request

    0.205.248.87.in-addr.arpa

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
  • 8.8.8.8:53
    174.178.17.96.in-addr.arpa
    dns
    144 B
    274 B
    2
    2

    DNS Request

    174.178.17.96.in-addr.arpa

    DNS Request

    174.178.17.96.in-addr.arpa

  • 8.8.8.8:53
  • 8.8.8.8:53
    168.117.168.52.in-addr.arpa
    dns
    146 B
    294 B
    2
    2

    DNS Request

    168.117.168.52.in-addr.arpa

    DNS Request

    168.117.168.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe

    Filesize

    66KB

    MD5

    937d969628d12a8a13fd9011053cef93

    SHA1

    ce4023d1498aac409ff7c25f72e8f3445d05c322

    SHA256

    9b1284e0b63a0e421100561e1dd34d10bb5b724bb38815a8380d3f5259c94f15

    SHA512

    3fcb6af870a4805983029235ee146b69da8e2ecc8db8bcfe8a973e64792b6694e91276b154734d239fd775c3049f68bfd86e1244f864b75ab678272df875d894

  • memory/564-0-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/564-1-0x0000000001CC0000-0x0000000001DD2000-memory.dmp

    Filesize

    1.1MB

  • memory/564-2-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/564-13-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/2964-16-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/2964-15-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/2964-14-0x0000000001870000-0x0000000001982000-memory.dmp

    Filesize

    1.1MB

  • memory/2964-23-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.