Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 12:11

General

  • Target

    f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe

  • Size

    389KB

  • MD5

    047a5e67b8325b5f7f14d6300d2525fa

  • SHA1

    e765cf5f8a5e1e80bad8f737cd658ffaea69ed78

  • SHA256

    f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b

  • SHA512

    da5583b2adff91294d280d78d4b3b598aab8b169e79bbc638f1042fcf44ab00b357c20b5b9dc7319482dba7632bd238653da8c0458af3b25a95a684ae46f57cd

  • SSDEEP

    6144:KAy+bnr+Np0yN90QEQmynqq5AvfcQr4UliD4EYjxgt2jfsmdrHq/LDxMMJOkeb:UMrhy90WP64Ul84jSt2jfHrKjDxMMbM

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe
    "C:\Users\Admin\AppData\Local\Temp\f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:404
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exe
        3⤵
        • Executes dropped EXE
        PID:1532
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4996

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=27CDEA3A956A661428A5FE40944D67AB; domain=.bing.com; expires=Tue, 03-Jun-2025 12:12:08 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 16297F0DBABE46E39ABFDE3A7A51A027 Ref B: LON04EDGE0706 Ref C: 2024-05-09T12:12:08Z
    date: Thu, 09 May 2024 12:12:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=27CDEA3A956A661428A5FE40944D67AB; _EDGE_S=SID=24045E89541264EB05BD4AF3556B654C
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=mtqiVTDgu6AiLBNT1hpRHIIby3O3PK1tYPI5Pk6VK64; domain=.bing.com; expires=Tue, 03-Jun-2025 12:12:09 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E827451C472F44D89D6FE18367D1B7C5 Ref B: LON04EDGE0706 Ref C: 2024-05-09T12:12:09Z
    date: Thu, 09 May 2024 12:12:09 GMT
  • flag-be
    GET
    https://www.bing.com/aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
    Remote address:
    88.221.83.178:443
    Request
    GET /aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=27CDEA3A956A661428A5FE40944D67AB
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5634DE0DEE394C37AF78BA78BFB161ED Ref B: LON212050719039 Ref C: 2024-05-09T12:12:09Z
    content-length: 0
    date: Thu, 09 May 2024 12:12:09 GMT
    set-cookie: _EDGE_S=SID=24045E89541264EB05BD4AF3556B654C; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=27CDEA3A956A661428A5FE40944D67AB; path=/; httponly; expires=Tue, 03-Jun-2025 12:12:09 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.ae53dd58.1715256729.32f943b1
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    178.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    178.83.221.88.in-addr.arpa
    IN PTR
    Response
    178.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-178deploystaticakamaitechnologiescom
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.83.178:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=27CDEA3A956A661428A5FE40944D67AB; _EDGE_S=SID=24045E89541264EB05BD4AF3556B654C; MSPTC=mtqiVTDgu6AiLBNT1hpRHIIby3O3PK1tYPI5Pk6VK64; MUIDB=27CDEA3A956A661428A5FE40944D67AB
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 09 May 2024 12:12:10 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.ae53dd58.1715256730.32f94894
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 792794
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F7594911ECBD409A8B5DB08B0BDB47B4 Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
    date: Thu, 09 May 2024 12:13:45 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 621794
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1842E5F482B444FF98F2F9BE07DB8740 Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
    date: Thu, 09 May 2024 12:13:45 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 659775
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EAED9E7342224FC499AAC30328FD92E2 Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
    date: Thu, 09 May 2024 12:13:45 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 627437
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2E7DF0EE57CD4262888CEC48244A3F7B Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
    date: Thu, 09 May 2024 12:13:45 GMT
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
    tls, http2
    2.5kB
    9.0kB
    20
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

    HTTP Response

    204
  • 88.221.83.178:443
    https://www.bing.com/aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
    tls, http2
    1.5kB
    5.4kB
    17
    12

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

    HTTP Response

    200
  • 88.221.83.178:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
    6.4kB
    17
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 77.91.68.68:19071
    r3481787.exe
    260 B
    5
  • 77.91.68.68:19071
    r3481787.exe
    260 B
    5
  • 77.91.68.68:19071
    r3481787.exe
    260 B
    5
  • 52.111.227.11:443
    322 B
    7
  • 77.91.68.68:19071
    r3481787.exe
    260 B
    5
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.4kB
    8.0kB
    15
    11
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    96.0kB
    2.8MB
    2053
    2048

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 77.91.68.68:19071
    r3481787.exe
    260 B
    5
  • 77.91.68.68:19071
    r3481787.exe
    208 B
    4
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    178.83.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    178.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exe

    Filesize

    206KB

    MD5

    82508e684b0244b131384ad84bd736ed

    SHA1

    3c80d10f1bad612d93b99bfc4ab1407dba6c101d

    SHA256

    2f9713625553da98a31d2c7cc5fa0ba1aafe7e56045cc660ab24e00c0b7eca4d

    SHA512

    10b6232edc6c64acc7aab72a2c31bb8c8654bcc7c603b43321b9898a05d4abee803890b13951aadfc913e955781272485a7f74452c979fc576f4d6f20a179a8a

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exe

    Filesize

    14KB

    MD5

    acf71ede3fa4498bb7397d170fa7f878

    SHA1

    dd69c1172a9bf2f7d37b10a9fad59e1e1359c3ca

    SHA256

    a093e4e6d1e4d36ac0a4d04ed691dd962d5a6cc576395d79680eb7dc46650d09

    SHA512

    d7e45ef34b57273bf22af623e860fad167329dcb0d94feccda24d0d019b1bb7a8596162afefc6add472cf0fada895fcbb0febeb60e030006725ba9299ddc2355

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exe

    Filesize

    173KB

    MD5

    bfb4ba8d200b626ae3d3a6d9ca32061b

    SHA1

    d95ffa9926a751678bf632a7ccc558e1e8bfd0c5

    SHA256

    9358dd428789b3d65d74482772d34eef690cad71a78453ded32673a5bebccf3f

    SHA512

    c63c0198c363675e50866d3ac051c051ce53b758f364e66a15749422ce6efb1e689e68cb7c5936f64b4e5550623a16ffedc8ee84e553c78571f9db7a712fe3fe

  • memory/404-14-0x00007FFE5F563000-0x00007FFE5F565000-memory.dmp

    Filesize

    8KB

  • memory/404-15-0x00000000001C0000-0x00000000001CA000-memory.dmp

    Filesize

    40KB

  • memory/1532-20-0x0000000000B50000-0x0000000000B80000-memory.dmp

    Filesize

    192KB

  • memory/1532-21-0x0000000005470000-0x0000000005476000-memory.dmp

    Filesize

    24KB

  • memory/1532-22-0x000000000AF80000-0x000000000B598000-memory.dmp

    Filesize

    6.1MB

  • memory/1532-23-0x000000000AB00000-0x000000000AC0A000-memory.dmp

    Filesize

    1.0MB

  • memory/1532-24-0x000000000AA40000-0x000000000AA52000-memory.dmp

    Filesize

    72KB

  • memory/1532-25-0x000000000AAA0000-0x000000000AADC000-memory.dmp

    Filesize

    240KB

  • memory/1532-26-0x0000000002EF0000-0x0000000002F3C000-memory.dmp

    Filesize

    304KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.