Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 04:12 UTC

General

  • Target

    0e0ab3177cc45d1c11bc77f22026c0ba.exe

  • Size

    385KB

  • MD5

    0e0ab3177cc45d1c11bc77f22026c0ba

  • SHA1

    948548f806353d1ac75b01ae0498efec65acd641

  • SHA256

    81ccd696803de8f045d6ff27d50bc5285750ee69f65e099f3f59a9aa4c583a32

  • SHA512

    51b5c660ff8785505d362c07d2e1618a31c047d80ce1080b2fe7cc46716e886da928d71715d14eb350397267a38bae507cd36415747353c7779017b3761ac790

  • SSDEEP

    12288:d6FO+5F9d8A4hX6Dpr28J9ZHCQZXQiunxbr2mNYxeeB:d6FdDIA45opK8TZH/ZXQ9n5rUPB

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe
    "C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe
      C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:3360

Network

  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    pastebin.com
    0e0ab3177cc45d1c11bc77f22026c0ba.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    172.67.34.170
    pastebin.com
    IN A
    104.20.67.143
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    0e0ab3177cc45d1c11bc77f22026c0ba.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 30 Dec 2023 21:15:34 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 233
    Server: cloudflare
    CF-RAY: 83dd4c861ddd3da0-LHR
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    143.68.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    143.68.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    143.68.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    143.68.20.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    81.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.179.17.96.in-addr.arpa
    IN PTR
    Response
    81.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    6.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3BF0BD73C3ED6258326DAE84C2CA63C6; domain=.bing.com; expires=Thu, 23-Jan-2025 21:15:35 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BF6A5933E1234FCDA0DD2D7672410A49 Ref B: LON04EDGE0616 Ref C: 2023-12-30T21:15:35Z
    date: Sat, 30 Dec 2023 21:15:35 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3BF0BD73C3ED6258326DAE84C2CA63C6
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=Oljc1LAvok1WfGhY45ey9mAQoWy44pyuVoSCEpW1pOs; domain=.bing.com; expires=Thu, 23-Jan-2025 21:15:35 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E3885BC8206D4429BACB0CC2AFDCD522 Ref B: LON04EDGE0616 Ref C: 2023-12-30T21:15:35Z
    date: Sat, 30 Dec 2023 21:15:35 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3BF0BD73C3ED6258326DAE84C2CA63C6; MSPTC=Oljc1LAvok1WfGhY45ey9mAQoWy44pyuVoSCEpW1pOs
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D5126E7687C3455AB6EA88B5DE526905 Ref B: LON04EDGE0616 Ref C: 2023-12-30T21:15:36Z
    date: Sat, 30 Dec 2023 21:15:35 GMT
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    19.53.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.53.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.1.37.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.1.37.23.in-addr.arpa
    IN PTR
    Response
    183.1.37.23.in-addr.arpa
    IN PTR
    a23-37-1-183deploystaticakamaitechnologiescom
  • flag-us
    DNS
    28.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.160.77.104.in-addr.arpa
    IN PTR
    Response
    28.160.77.104.in-addr.arpa
    IN PTR
    a104-77-160-28deploystaticakamaitechnologiescom
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.179.17.96.in-addr.arpa
    IN PTR
    Response
    68.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-68deploystaticakamaitechnologiescom
  • flag-us
    DNS
    60.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.179.17.96.in-addr.arpa
    IN PTR
    Response
    60.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-60deploystaticakamaitechnologiescom
  • flag-us
    DNS
    60.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.179.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    60.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.179.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    23.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.160.77.104.in-addr.arpa
    IN PTR
    Response
    23.160.77.104.in-addr.arpa
    IN PTR
    a104-77-160-23deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.160.77.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    23.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.160.77.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    61.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.179.17.96.in-addr.arpa
    IN PTR
    Response
    61.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-61deploystaticakamaitechnologiescom
  • flag-us
    DNS
    61.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.179.17.96.in-addr.arpa
    IN PTR
    Response
    61.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-61deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.121.231.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.121.231.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 408529
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F6FF8721C34844719AB4005DD47B9D5C Ref B: LON04EDGE1205 Ref C: 2023-12-30T21:17:16Z
    date: Sat, 30 Dec 2023 21:17:15 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301401_1XGW1M12B4WHFUL40&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301401_1XGW1M12B4WHFUL40&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 476492
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4E6D32775EC5424588BB9D497F44E799 Ref B: LON04EDGE1205 Ref C: 2023-12-30T21:17:16Z
    date: Sat, 30 Dec 2023 21:17:15 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301677_1FP9ECAH39HYIUM37&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301677_1FP9ECAH39HYIUM37&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 353257
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8B6FC0E9683D4FD0993039F4A9E802A8 Ref B: LON04EDGE1205 Ref C: 2023-12-30T21:17:16Z
    date: Sat, 30 Dec 2023 21:17:15 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 416984
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7058CB0686754005BA9B7B2B3D1009D3 Ref B: LON04EDGE1205 Ref C: 2023-12-30T21:17:17Z
    date: Sat, 30 Dec 2023 21:17:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300968_1TBBEB34P4CM6N716&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317300968_1TBBEB34P4CM6N716&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 405009
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D888C33D91C645B2866BD4BD3D29199A Ref B: LON04EDGE1205 Ref C: 2023-12-30T21:17:18Z
    date: Sat, 30 Dec 2023 21:17:17 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301268_19Y3KTBXK9Q1B7ID1&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301268_19Y3KTBXK9Q1B7ID1&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 408784
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 59DBB46A6D034E9AA23052130F91EA13 Ref B: LON04EDGE1205 Ref C: 2023-12-30T21:17:18Z
    date: Sat, 30 Dec 2023 21:17:17 GMT
  • flag-us
    DNS
    134.71.91.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.71.91.104.in-addr.arpa
    IN PTR
    Response
    134.71.91.104.in-addr.arpa
    IN PTR
    a104-91-71-134deploystaticakamaitechnologiescom
  • flag-us
    DNS
    134.71.91.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.71.91.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    55.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.179.17.96.in-addr.arpa
    IN PTR
    Response
    55.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-55deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.179.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    192.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    192.178.17.96.in-addr.arpa
    IN PTR
    Response
    192.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-192deploystaticakamaitechnologiescom
  • flag-us
    DNS
    192.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    192.178.17.96.in-addr.arpa
    IN PTR
    Response
    192.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-192deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.179.17.96.in-addr.arpa
    IN PTR
    Response
    48.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-48deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.179.17.96.in-addr.arpa
    IN PTR
    Response
    48.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-48deploystaticakamaitechnologiescom
  • flag-us
    DNS
    210.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.178.17.96.in-addr.arpa
    IN PTR
    Response
    210.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-210deploystaticakamaitechnologiescom
  • flag-us
    DNS
    210.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.178.17.96.in-addr.arpa
    IN PTR
    Response
    210.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-210deploystaticakamaitechnologiescom
  • flag-us
    DNS
    140.71.91.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.71.91.104.in-addr.arpa
    IN PTR
    Response
    140.71.91.104.in-addr.arpa
    IN PTR
    a104-91-71-140deploystaticakamaitechnologiescom
  • flag-us
    DNS
    140.71.91.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.71.91.104.in-addr.arpa
    IN PTR
  • 104.20.68.143:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    0e0ab3177cc45d1c11bc77f22026c0ba.exe
    1.4kB
    4.6kB
    14
    8

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    tls, http2
    2.3kB
    9.9kB
    23
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=96e0f01cdf8449959bc5791f53cef8d7&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

    HTTP Response

    204
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    10.6kB
    17
    15
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301268_19Y3KTBXK9Q1B7ID1&pid=21.2&w=1920&h=1080&c=4
    tls, http2
    92.6kB
    2.6MB
    1874
    1867

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301401_1XGW1M12B4WHFUL40&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301677_1FP9ECAH39HYIUM37&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300968_1TBBEB34P4CM6N716&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301268_19Y3KTBXK9Q1B7ID1&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    8.3kB
    17
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.7kB
    13.2kB
    19
    14
  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    0e0ab3177cc45d1c11bc77f22026c0ba.exe
    58 B
    106 B
    1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.68.143
    172.67.34.170
    104.20.67.143

  • 8.8.8.8:53
    g.bing.com
    dns
    168 B
    158 B
    3
    1

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    143.68.20.104.in-addr.arpa
    dns
    144 B
    134 B
    2
    1

    DNS Request

    143.68.20.104.in-addr.arpa

    DNS Request

    143.68.20.104.in-addr.arpa

  • 8.8.8.8:53
    81.179.17.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    81.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    6.181.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    6.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    146 B
    106 B
    2
    1

    DNS Request

    200.197.79.204.in-addr.arpa

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    144 B
    146 B
    2
    1

    DNS Request

    157.123.68.40.in-addr.arpa

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    19.53.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    19.53.126.40.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    183.1.37.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    183.1.37.23.in-addr.arpa

  • 8.8.8.8:53
    28.160.77.104.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    28.160.77.104.in-addr.arpa

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
    68.179.17.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    68.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    60.179.17.96.in-addr.arpa
    dns
    213 B
    135 B
    3
    1

    DNS Request

    60.179.17.96.in-addr.arpa

    DNS Request

    60.179.17.96.in-addr.arpa

    DNS Request

    60.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    23.160.77.104.in-addr.arpa
    dns
    216 B
    137 B
    3
    1

    DNS Request

    23.160.77.104.in-addr.arpa

    DNS Request

    23.160.77.104.in-addr.arpa

    DNS Request

    23.160.77.104.in-addr.arpa

  • 8.8.8.8:53
    61.179.17.96.in-addr.arpa
    dns
    142 B
    270 B
    2
    2

    DNS Request

    61.179.17.96.in-addr.arpa

    DNS Request

    61.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    142 B
    314 B
    2
    2

    DNS Request

    43.58.199.20.in-addr.arpa

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    79.121.231.20.in-addr.arpa
    dns
    144 B
    316 B
    2
    2

    DNS Request

    79.121.231.20.in-addr.arpa

    DNS Request

    79.121.231.20.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    216 B
    158 B
    3
    1

    DNS Request

    31.243.111.52.in-addr.arpa

    DNS Request

    31.243.111.52.in-addr.arpa

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    142 B
    314 B
    2
    2

    DNS Request

    26.35.223.20.in-addr.arpa

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    124 B
    173 B
    2
    1

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    134.71.91.104.in-addr.arpa
    dns
    144 B
    137 B
    2
    1

    DNS Request

    134.71.91.104.in-addr.arpa

    DNS Request

    134.71.91.104.in-addr.arpa

  • 8.8.8.8:53
    55.179.17.96.in-addr.arpa
    dns
    142 B
    135 B
    2
    1

    DNS Request

    55.179.17.96.in-addr.arpa

    DNS Request

    55.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    192.178.17.96.in-addr.arpa
    dns
    144 B
    274 B
    2
    2

    DNS Request

    192.178.17.96.in-addr.arpa

    DNS Request

    192.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    48.179.17.96.in-addr.arpa
    dns
    142 B
    270 B
    2
    2

    DNS Request

    48.179.17.96.in-addr.arpa

    DNS Request

    48.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    210.178.17.96.in-addr.arpa
    dns
    144 B
    274 B
    2
    2

    DNS Request

    210.178.17.96.in-addr.arpa

    DNS Request

    210.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    140.71.91.104.in-addr.arpa
    dns
    144 B
    137 B
    2
    1

    DNS Request

    140.71.91.104.in-addr.arpa

    DNS Request

    140.71.91.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0e0ab3177cc45d1c11bc77f22026c0ba.exe

    Filesize

    111KB

    MD5

    6907818c80f8d056c89e8a198f1ce209

    SHA1

    36d7fa733df6f404c53ac3b4551645b44033655c

    SHA256

    2c9ebc72ca87b80949212d6e14aa0c11a0afbb368c532c58dd16da9680811215

    SHA512

    0d18d8959bf3610cc4999a6816dc5ecd875b246218fd100f17f2536f27b99ba3c68d69702d52854617da1fcb5b5a5ebf5205835a30d8b5f2bbdaf0cf5c5104ee

  • memory/3340-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/3340-1-0x00000000015B0000-0x0000000001616000-memory.dmp

    Filesize

    408KB

  • memory/3340-2-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3340-11-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3360-14-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/3360-20-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/3360-22-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

    Filesize

    380KB

  • memory/3360-16-0x0000000001600000-0x0000000001666000-memory.dmp

    Filesize

    408KB

  • memory/3360-32-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3360-38-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3360-36-0x000000000D660000-0x000000000D69C000-memory.dmp

    Filesize

    240KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.