Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2024, 01:06 UTC
Static task
static1
Behavioral task
behavioral1
Sample
57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
Resource
win10v2004-20240426-en
General
-
Target
57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
-
Size
1.2MB
-
MD5
d4089829797177e6d008fcb4379ce1a0
-
SHA1
50286992343b8a628d879cddc53a6eb954436d42
-
SHA256
57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb
-
SHA512
f28af57f563e9340eef734895702bd95236c764b158c445b3a704e45b56b981eda16c0254b1647eaec290500096abb75940785cc591bbcab84d75373ce26e5ff
-
SSDEEP
24576:DAHnh+eWsN3skA4RV1Hom2KXMmHa22yAys4uZRbAgXKzibK5:Oh+ZkldoPK8Ya22yAypuZmgaziE
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral2/memory/4136-28-0x0000000002FA0000-0x0000000002FF6000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-31-0x00000000054B0000-0x0000000005504000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-33-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-40-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-92-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-90-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-88-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-84-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-82-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-80-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-78-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-76-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-74-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-72-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-70-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-68-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-66-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-64-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-62-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-60-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-58-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-54-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-52-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-50-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-48-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-46-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-44-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-42-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-38-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-36-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-34-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-86-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 behavioral2/memory/4136-56-0x00000000054B0000-0x00000000054FE000-memory.dmp family_zgrat_v1 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 api.ipify.org 28 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1004 set thread context of 4136 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 87 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4136 RegSvcs.exe 4136 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4136 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4136 RegSvcs.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2828 wrote to memory of 856 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 85 PID 2828 wrote to memory of 856 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 85 PID 2828 wrote to memory of 856 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 85 PID 2828 wrote to memory of 1004 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 86 PID 2828 wrote to memory of 1004 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 86 PID 2828 wrote to memory of 1004 2828 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 86 PID 1004 wrote to memory of 4136 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 87 PID 1004 wrote to memory of 4136 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 87 PID 1004 wrote to memory of 4136 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 87 PID 1004 wrote to memory of 4136 1004 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"2⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4136
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=28B25DF4EE516064343C4983EFEA6144; domain=.bing.com; expires=Sat, 31-May-2025 01:07:03 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 51E0A2FEA30F4A05BC82CBDAF04E30FB Ref B: LON04EDGE0817 Ref C: 2024-05-06T01:07:03Z
date: Mon, 06 May 2024 01:07:02 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=28B25DF4EE516064343C4983EFEA6144; _EDGE_S=SID=2C9DE64AF1216EFA1A2BF23DF0E16F56
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=h86KTWzgZHc1eGlEWgTZJHpvkCVLPTsxuu42Nd6C0fw; domain=.bing.com; expires=Sat, 31-May-2025 01:07:03 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3159BEFDB89D4AB8BB79FC2BB139220C Ref B: LON04EDGE0817 Ref C: 2024-05-06T01:07:03Z
date: Mon, 06 May 2024 01:07:02 GMT
-
Remote address:8.8.8.8:53Request183.142.211.20.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644Remote address:23.62.61.194:443RequestGET /aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=28B25DF4EE516064343C4983EFEA6144
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2F42AC19AFC24CC591429848F3CA25A7 Ref B: DUS30EDGE0306 Ref C: 2024-05-06T01:07:03Z
content-length: 0
date: Mon, 06 May 2024 01:07:03 GMT
set-cookie: _EDGE_S=SID=2C9DE64AF1216EFA1A2BF23DF0E16F56; path=/; httponly; domain=bing.com
set-cookie: MUIDB=28B25DF4EE516064343C4983EFEA6144; path=/; httponly; expires=Sat, 31-May-2025 01:07:03 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1714957623.210f248
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request194.61.62.23.in-addr.arpaIN PTRResponse194.61.62.23.in-addr.arpaIN PTRa23-62-61-194deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.194:443RequestGET /th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=28B25DF4EE516064343C4983EFEA6144; _EDGE_S=SID=2C9DE64AF1216EFA1A2BF23DF0E16F56; MSPTC=h86KTWzgZHc1eGlEWgTZJHpvkCVLPTsxuu42Nd6C0fw; MUIDB=28B25DF4EE516064343C4983EFEA6144
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 457
date: Mon, 06 May 2024 01:07:07 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1714957627.210f4cb
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A104.26.13.205api.ipify.orgIN A104.26.12.205api.ipify.orgIN A172.67.74.152
-
Remote address:104.26.13.205:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 87f512588f879409-LHR
-
Remote address:8.8.8.8:53Request205.13.26.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request31.121.18.2.in-addr.arpaIN PTRResponse31.121.18.2.in-addr.arpaIN PTRa2-18-121-31deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 634564
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F3DA7279CD9340A2BE3050FD7389499F Ref B: LON04EDGE0722 Ref C: 2024-05-06T01:08:45Z
date: Mon, 06 May 2024 01:08:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 449656
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D4A23B587B5F4F5CA7B286A8247726D2 Ref B: LON04EDGE0722 Ref C: 2024-05-06T01:08:45Z
date: Mon, 06 May 2024 01:08:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 468637
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6334538AAB55471EBD5DFBB5901EA2DB Ref B: LON04EDGE0722 Ref C: 2024-05-06T01:08:45Z
date: Mon, 06 May 2024 01:08:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10E74A9A6267475C9BAA109BFA703A5E Ref B: LON04EDGE0722 Ref C: 2024-05-06T01:08:45Z
date: Mon, 06 May 2024 01:08:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8B419AFDA9AB43D492522BA7B5ED4D42 Ref B: LON04EDGE0722 Ref C: 2024-05-06T01:08:45Z
date: Mon, 06 May 2024 01:08:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 637660
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5D9FE7D95A2741CB979050070DC16FF2 Ref B: LON04EDGE0722 Ref C: 2024-05-06T01:08:45Z
date: Mon, 06 May 2024 01:08:44 GMT
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4tls, http22.5kB 9.0kB 20 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4HTTP Response
204 -
23.62.61.194:443https://www.bing.com/aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644tls, http21.5kB 5.4kB 17 11
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644HTTP Response
200 -
23.62.61.194:443https://www.bing.com/th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.6kB 5.8kB 17 13
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
900 B 5.5kB 10 10
HTTP Request
GET https://api.ipify.org/HTTP Response
200 -
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2115.3kB 3.1MB 2296 2290
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 8.1kB 16 14
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
73 B 159 B 1 1
DNS Request
183.142.211.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
194.61.62.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
59 B 107 B 1 1
DNS Request
api.ipify.org
DNS Response
104.26.13.205104.26.12.205172.67.74.152
-
72 B 134 B 1 1
DNS Request
205.13.26.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
31.121.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD54ffec10d00da56c6aebb0f6f646db6bc
SHA1fa4a97a74c5171566934d48071d3bc9e55722885
SHA256d303f72f829a1ef0454eb3f150a89cc1900138462f51bf8f18bf292b75b39ee9
SHA512e29345d912384c1fb0cab977765df3abb26b4838b4e38eb4ac71d14433f14deb7cee7f2a5afa0c38a03ed9d581c0ad58003d9fcb2705239694d41be52afa146f