Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 11:12 UTC

General

  • Target

    2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe

  • Size

    514KB

  • MD5

    90f4e7656cd4f2ff21d306e9a2127aa8

  • SHA1

    d7c5ac2b853e2ffb6281a91e1d48a652fdb4ab4b

  • SHA256

    2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7

  • SHA512

    cc4a87aab9ee3c6290dd6eefd14e2297f24f9738cad755bb462d402ab408fdbd27d196e5a44475e3a4296c0f959305d645187297fa12f76464f652d040651e15

  • SSDEEP

    12288:kMrvy90pmeitVqabcxZthOFvD2ZT58iro7:7yAitsKcxZtsvCLE

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe
    "C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1776
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4476
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4760
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4076
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:3708
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:3328
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:2296
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:640
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:728
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:2352
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:2600
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1512
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3260
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3704

              Network

              • flag-us
                DNS
                g.bing.com
                Remote address:
                8.8.8.8:53
                Request
                g.bing.com
                IN A
                Response
                g.bing.com
                IN CNAME
                g-bing-com.dual-a-0034.a-msedge.net
                g-bing-com.dual-a-0034.a-msedge.net
                IN CNAME
                dual-a-0034.a-msedge.net
                dual-a-0034.a-msedge.net
                IN A
                204.79.197.237
                dual-a-0034.a-msedge.net
                IN A
                13.107.21.237
              • flag-us
                DNS
                8.8.8.8.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.8.8.8.in-addr.arpa
                IN PTR
                Response
                8.8.8.8.in-addr.arpa
                IN PTR
                dnsgoogle
              • flag-us
                DNS
                154.239.44.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                154.239.44.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DZTdE5AFzgYim3_2b2y5YjVUCUzG2VhPAik-T73i2Mz5JUPuyPpe88UvStvo_BuLPr3si1ptncm7zAEqBmrdKO883YTxBEhkBrA_as5osk6IJyz_9IIghxZA-PWt_xhU3gX4pRD3Gpd5XoJx0WzTH8uhzT2af35vKgHTU3hlXLJYjwsC%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0aa0756afdfd1a0b87d313415ae7918e&TIME=20240426T130810Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DZTdE5AFzgYim3_2b2y5YjVUCUzG2VhPAik-T73i2Mz5JUPuyPpe88UvStvo_BuLPr3si1ptncm7zAEqBmrdKO883YTxBEhkBrA_as5osk6IJyz_9IIghxZA-PWt_xhU3gX4pRD3Gpd5XoJx0WzTH8uhzT2af35vKgHTU3hlXLJYjwsC%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0aa0756afdfd1a0b87d313415ae7918e&TIME=20240426T130810Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MUID=3307E40E2FB567FD3E3EF0742E5566D7; domain=.bing.com; expires=Tue, 03-Jun-2025 11:33:20 GMT; path=/; SameSite=None; Secure; Priority=High;
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 042FD318842A41D09557D9D67F680131 Ref B: LON04EDGE1222 Ref C: 2024-05-09T11:33:20Z
                date: Thu, 09 May 2024 11:33:19 GMT
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DZTdE5AFzgYim3_2b2y5YjVUCUzG2VhPAik-T73i2Mz5JUPuyPpe88UvStvo_BuLPr3si1ptncm7zAEqBmrdKO883YTxBEhkBrA_as5osk6IJyz_9IIghxZA-PWt_xhU3gX4pRD3Gpd5XoJx0WzTH8uhzT2af35vKgHTU3hlXLJYjwsC%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0aa0756afdfd1a0b87d313415ae7918e&TIME=20240426T130810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DZTdE5AFzgYim3_2b2y5YjVUCUzG2VhPAik-T73i2Mz5JUPuyPpe88UvStvo_BuLPr3si1ptncm7zAEqBmrdKO883YTxBEhkBrA_as5osk6IJyz_9IIghxZA-PWt_xhU3gX4pRD3Gpd5XoJx0WzTH8uhzT2af35vKgHTU3hlXLJYjwsC%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0aa0756afdfd1a0b87d313415ae7918e&TIME=20240426T130810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=3307E40E2FB567FD3E3EF0742E5566D7; _EDGE_S=SID=12F7542D59076D8E2FD4405758D56C29
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MSPTC=MGmqiW7nJq6vSWl2FHDFlcbqUBue6RDpLgpPLH-_tZA; domain=.bing.com; expires=Tue, 03-Jun-2025 11:33:20 GMT; path=/; Partitioned; secure; SameSite=None
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 910A0BBD6D24493D99C2BEED13FA9CCA Ref B: LON04EDGE1222 Ref C: 2024-05-09T11:33:20Z
                date: Thu, 09 May 2024 11:33:20 GMT
              • flag-be
                GET
                https://www.bing.com/aes/c.gif?RG=2ef009ec9c2c40698e85bfc7f6a77bb3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130810Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984
                Remote address:
                2.17.196.120:443
                Request
                GET /aes/c.gif?RG=2ef009ec9c2c40698e85bfc7f6a77bb3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130810Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984 HTTP/2.0
                host: www.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=3307E40E2FB567FD3E3EF0742E5566D7
                Response
                HTTP/2.0 200
                cache-control: private,no-store
                pragma: no-cache
                vary: Origin
                p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 76F788FA7DF7470BB54D5B5F745E9CF8 Ref B: FRAEDGE1219 Ref C: 2024-05-09T11:33:20Z
                content-length: 0
                date: Thu, 09 May 2024 11:33:20 GMT
                set-cookie: _EDGE_S=SID=12F7542D59076D8E2FD4405758D56C29; path=/; httponly; domain=bing.com
                set-cookie: MUIDB=3307E40E2FB567FD3E3EF0742E5566D7; path=/; httponly; expires=Tue, 03-Jun-2025 11:33:20 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.74c41102.1715254400.c218b15
              • flag-us
                DNS
                237.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                237.197.79.204.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                172.210.232.199.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                172.210.232.199.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                120.196.17.2.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                120.196.17.2.in-addr.arpa
                IN PTR
                Response
                120.196.17.2.in-addr.arpa
                IN PTR
                a2-17-196-120deploystaticakamaitechnologiescom
              • flag-be
                GET
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                Remote address:
                2.17.196.120:443
                Request
                GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                host: www.bing.com
                accept: */*
                cookie: MUID=3307E40E2FB567FD3E3EF0742E5566D7; _EDGE_S=SID=12F7542D59076D8E2FD4405758D56C29; MSPTC=MGmqiW7nJq6vSWl2FHDFlcbqUBue6RDpLgpPLH-_tZA; MUIDB=3307E40E2FB567FD3E3EF0742E5566D7
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-type: image/png
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                content-length: 1107
                date: Thu, 09 May 2024 11:33:21 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.74c41102.1715254401.c219620
              • flag-us
                DNS
                4.159.190.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                4.159.190.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                26.35.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.35.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                209.205.72.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                209.205.72.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                43.229.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                43.229.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 659775
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: D9380FF7796E4849AE3F98C6839EED6C Ref B: LON04EDGE1007 Ref C: 2024-05-09T11:34:57Z
                date: Thu, 09 May 2024 11:34:57 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 555746
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: E46911F6701F43BE872C13A87E93A725 Ref B: LON04EDGE1007 Ref C: 2024-05-09T11:34:57Z
                date: Thu, 09 May 2024 11:34:57 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 621794
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 470791271E8F4D8E97D47017C054FBCC Ref B: LON04EDGE1007 Ref C: 2024-05-09T11:34:57Z
                date: Thu, 09 May 2024 11:34:57 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 638730
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 3653859E847D4AB59ECB830EF7ED6CD3 Ref B: LON04EDGE1007 Ref C: 2024-05-09T11:34:57Z
                date: Thu, 09 May 2024 11:34:57 GMT
              • flag-us
                DNS
                43.58.199.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                43.58.199.20.in-addr.arpa
                IN PTR
                Response
              • 204.79.197.237:443
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DZTdE5AFzgYim3_2b2y5YjVUCUzG2VhPAik-T73i2Mz5JUPuyPpe88UvStvo_BuLPr3si1ptncm7zAEqBmrdKO883YTxBEhkBrA_as5osk6IJyz_9IIghxZA-PWt_xhU3gX4pRD3Gpd5XoJx0WzTH8uhzT2af35vKgHTU3hlXLJYjwsC%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0aa0756afdfd1a0b87d313415ae7918e&TIME=20240426T130810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
                tls, http2
                2.5kB
                9.0kB
                20
                17

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DZTdE5AFzgYim3_2b2y5YjVUCUzG2VhPAik-T73i2Mz5JUPuyPpe88UvStvo_BuLPr3si1ptncm7zAEqBmrdKO883YTxBEhkBrA_as5osk6IJyz_9IIghxZA-PWt_xhU3gX4pRD3Gpd5XoJx0WzTH8uhzT2af35vKgHTU3hlXLJYjwsC%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0aa0756afdfd1a0b87d313415ae7918e&TIME=20240426T130810Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

                HTTP Response

                204

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DZTdE5AFzgYim3_2b2y5YjVUCUzG2VhPAik-T73i2Mz5JUPuyPpe88UvStvo_BuLPr3si1ptncm7zAEqBmrdKO883YTxBEhkBrA_as5osk6IJyz_9IIghxZA-PWt_xhU3gX4pRD3Gpd5XoJx0WzTH8uhzT2af35vKgHTU3hlXLJYjwsC%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0aa0756afdfd1a0b87d313415ae7918e&TIME=20240426T130810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

                HTTP Response

                204
              • 2.17.196.120:443
                https://www.bing.com/aes/c.gif?RG=2ef009ec9c2c40698e85bfc7f6a77bb3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130810Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984
                tls, http2
                1.4kB
                5.3kB
                16
                11

                HTTP Request

                GET https://www.bing.com/aes/c.gif?RG=2ef009ec9c2c40698e85bfc7f6a77bb3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130810Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

                HTTP Response

                200
              • 2.17.196.120:443
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                tls, http2
                1.7kB
                6.4kB
                18
                13

                HTTP Request

                GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                HTTP Response

                200
              • 77.91.68.68:19071
                d2061509.exe
                260 B
                5
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.68.68:19071
                d2061509.exe
                260 B
                5
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.68.68:19071
                d2061509.exe
                260 B
                5
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.68.68:19071
                d2061509.exe
                260 B
                5
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                13
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                tls, http2
                89.8kB
                2.6MB
                1872
                1867

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200
              • 77.91.68.68:19071
                d2061509.exe
                260 B
                5
              • 77.91.68.68:19071
                d2061509.exe
                208 B
                4
              • 8.8.8.8:53
                g.bing.com
                dns
                56 B
                151 B
                1
                1

                DNS Request

                g.bing.com

                DNS Response

                204.79.197.237
                13.107.21.237

              • 8.8.8.8:53
                8.8.8.8.in-addr.arpa
                dns
                66 B
                90 B
                1
                1

                DNS Request

                8.8.8.8.in-addr.arpa

              • 8.8.8.8:53
                154.239.44.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                154.239.44.20.in-addr.arpa

              • 8.8.8.8:53
                237.197.79.204.in-addr.arpa
                dns
                73 B
                143 B
                1
                1

                DNS Request

                237.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                172.210.232.199.in-addr.arpa
                dns
                74 B
                128 B
                1
                1

                DNS Request

                172.210.232.199.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                120.196.17.2.in-addr.arpa
                dns
                71 B
                135 B
                1
                1

                DNS Request

                120.196.17.2.in-addr.arpa

              • 8.8.8.8:53
                4.159.190.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                4.159.190.20.in-addr.arpa

              • 8.8.8.8:53
                26.35.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                26.35.223.20.in-addr.arpa

              • 8.8.8.8:53
                209.205.72.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                209.205.72.20.in-addr.arpa

              • 8.8.8.8:53
                43.229.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                43.229.111.52.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              • 8.8.8.8:53
                43.58.199.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                43.58.199.20.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe

                Filesize

                172KB

                MD5

                f3d4c9732520988f37640af8592b4d4f

                SHA1

                439c8330fafbb18ca5bfb910ba6072b0d6c344ea

                SHA256

                5308702f0f353193c42c209eb946a64d65aafb3b8543cfed37ef8b79a9477c11

                SHA512

                67d76224af187bbe39a9c7a3b6cea6becc77d887cc3ac89513d006f8331ce60506d783b2034a8a2083bda1767ea1fa9dbcc9a52a7f1fc554065ca2f1927bd2d9

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe

                Filesize

                359KB

                MD5

                1b5c60006cf65f19efde04faf393ff26

                SHA1

                79b21b5c269f61e83bded7046cac7a74c8d03a26

                SHA256

                5d444bb020b097b1a1601470bff8ed4f721ca9833ed2645d13e7bb941f933c92

                SHA512

                761a77a6ff1f8eda021d9827eb1a7af15d51ff792f1d34af0d965701e1eb756e148ace1f294cc753d1cc8469c0350b942cae76fccde6c206f5e574b22dd6662d

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe

                Filesize

                35KB

                MD5

                4d10444994d8bcb46db1b0169d70408c

                SHA1

                cb75bd6e3f9a211e3f6f0edd621c4d19f3cbb932

                SHA256

                f3f96017154ef1ac7b8a8e402b1f4ec838b4cbf90b17d91fbd41c9d80fe93b73

                SHA512

                ff14d0549a3f9aae43c2535970fcb73c7287603eaed8f6ef02865d1137e6d0a83349eb19d088c162ed140e01689b62beba29a3b0081a15d6d538f5bc4836692f

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe

                Filesize

                234KB

                MD5

                fc78db6faef23ec53cf6d28a8d2413e5

                SHA1

                909012f46132d8e495fbb87aa929a34896e0abff

                SHA256

                f64c365cf9ebf6b3d3c2c5fa5d606e6108cb7cbdca2d3c5a584265cdfe86af19

                SHA512

                94da1949fb511f63aecb67cd890c6da681df8d7e8cf363547ae789c092209cb1c6f93b3f2880beca3d76b8b9ce4da397c0fd8edf1476ea4b163cfd3915e7b560

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe

                Filesize

                11KB

                MD5

                4a52f5ac63c258eb43a31d19c1ef0f10

                SHA1

                e234ac66b801fe1be51c144206a811809b2b53ef

                SHA256

                45c201511196955b077ff6d298ab9d6f10cc394dfa6f91a746d10246db41ab00

                SHA512

                15c2c18b9b19fdbd6744b81687f92263114a363b1cc32af2483676ab465c4a9f4eac35553212f331808744c7abb159b25b521556ec5a5b766b468f93d6fbcbc7

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe

                Filesize

                223KB

                MD5

                6ea3f44322a07b398f06762b5a7e09a1

                SHA1

                af77a595623910bf513a34e8308ea69efb9a2a91

                SHA256

                2ad18f623171a8873c4d292125e8b1d2421172d6ba472d49f1d2988872b87266

                SHA512

                a4edbb71f501caa94c48c7a1c0e0766eb693e138e47aad8b59a695f313cb5322dda91d95225a1034db386c186103dbfe28f3a27e9c3d40c86a2721f33a04121a

              • memory/1512-49-0x0000000009F40000-0x0000000009F52000-memory.dmp

                Filesize

                72KB

              • memory/1512-48-0x000000000A000000-0x000000000A10A000-memory.dmp

                Filesize

                1.0MB

              • memory/1512-46-0x0000000004970000-0x0000000004976000-memory.dmp

                Filesize

                24KB

              • memory/1512-47-0x000000000A510000-0x000000000AB28000-memory.dmp

                Filesize

                6.1MB

              • memory/1512-45-0x0000000000190000-0x00000000001C0000-memory.dmp

                Filesize

                192KB

              • memory/1512-50-0x0000000009FA0000-0x0000000009FDC000-memory.dmp

                Filesize

                240KB

              • memory/1512-51-0x0000000002310000-0x000000000235C000-memory.dmp

                Filesize

                304KB

              • memory/1776-21-0x00007FFE3E773000-0x00007FFE3E775000-memory.dmp

                Filesize

                8KB

              • memory/1776-22-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

                Filesize

                40KB

              • memory/2600-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/2600-41-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.