Overview
overview
10Static
static
30237b61e61...e4.exe
windows7-x64
30237b61e61...e4.exe
windows10-2004-x64
100cbf9c5b59...f9.exe
windows10-2004-x64
100edb945c8d...dd.exe
windows10-2004-x64
1013ca0bbb32...3f.exe
windows10-2004-x64
101465a638f9...f2.exe
windows10-2004-x64
101b0729839d...dd.exe
windows10-2004-x64
1027bf431b08...9f.exe
windows10-2004-x64
1034b8fdeeaf...27.exe
windows10-2004-x64
10488c7cb3b3...18.exe
windows10-2004-x64
104bc64c0375...75.exe
windows10-2004-x64
104f85c3e4ec...fe.exe
windows10-2004-x64
1055b18033bb...53.exe
windows7-x64
355b18033bb...53.exe
windows10-2004-x64
1060e7e1ac00...07.exe
windows10-2004-x64
10979a97cb16...99.exe
windows10-2004-x64
10b3eb736a5d...9f.exe
windows10-2004-x64
10d57352b171...d0.exe
windows10-2004-x64
10d62f03a558...b6.exe
windows10-2004-x64
10e72a6e51db...6d.exe
windows10-2004-x64
10f5c9c18cca...6b.exe
windows10-2004-x64
10fdb9b25099...78.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
0237b61e61fe845c052d94e1696f694fd1c69b55134971372a39facd025272e4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0237b61e61fe845c052d94e1696f694fd1c69b55134971372a39facd025272e4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
0cbf9c5b5986e5ea6119fe8fc3da31af9c240982a4a7cfed5ca9fb56c4d768f9.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
0edb945c8dd154bc423c54a58705917964bbfb8f0391f3350b75f33df5c740dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
13ca0bbb3221adeaf830fc435756121e64e03f342fec62e30bcd13f7d5c1083f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
1b0729839d14f565e8de6c35f683e4cf6c401cc652ea06fe9d0da0c95e9abadd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
34b8fdeeafe15c31ab10314949d8d534bca5cfd6995d47dbab8b3506a2847a27.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
4f85c3e4ec4db9780db30f402a82cf4f34e6d0a934cf7eb35d8bdb58e46d06fe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
55b18033bb16a6ebd933d4b24c7828c19ea0ec0937cbb06be066053c204d9753.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
55b18033bb16a6ebd933d4b24c7828c19ea0ec0937cbb06be066053c204d9753.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
60e7e1ac00410438a148bcba6a92dbac02c94531491c577d988a49e9c281cf07.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
979a97cb16762728856ff5dd929cb625d1673048544e092731742005342da799.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
b3eb736a5d62ca99c3bb61ab1572ce044dd3f3d33a0f83509bfc2cb1204b0b9f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d57352b17144065c6fd05a0807532115ba9622e99b096ac4432dd312359b06d0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
d62f03a5584e3ca2265a79bdd4e0fb0add3d0412b01568178f46f8dcecf881b6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
fdb9b250992b8c5988cfe05d255d96db5dd1d7a3ac4959de26b8546038f10c78.exe
Resource
win10v2004-20240508-en
General
-
Target
f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe
-
Size
389KB
-
MD5
047a5e67b8325b5f7f14d6300d2525fa
-
SHA1
e765cf5f8a5e1e80bad8f737cd658ffaea69ed78
-
SHA256
f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b
-
SHA512
da5583b2adff91294d280d78d4b3b598aab8b169e79bbc638f1042fcf44ab00b357c20b5b9dc7319482dba7632bd238653da8c0458af3b25a95a684ae46f57cd
-
SSDEEP
6144:KAy+bnr+Np0yN90QEQmynqq5AvfcQr4UliD4EYjxgt2jfsmdrHq/LDxMMJOkeb:UMrhy90WP64Ul84jSt2jfHrKjDxMMbM
Malware Config
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral21/files/0x000800000002340d-13.dat healer behavioral21/memory/404-15-0x00000000001C0000-0x00000000001CA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p1980406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p1980406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p1980406.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p1980406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p1980406.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p1980406.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral21/files/0x000700000002340e-18.dat family_redline behavioral21/memory/1532-20-0x0000000000B50000-0x0000000000B80000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 1648 z5687166.exe 404 p1980406.exe 1532 r3481787.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p1980406.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5687166.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4996 sc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 404 p1980406.exe 404 p1980406.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 404 p1980406.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5112 wrote to memory of 1648 5112 f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe 82 PID 5112 wrote to memory of 1648 5112 f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe 82 PID 5112 wrote to memory of 1648 5112 f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe 82 PID 1648 wrote to memory of 404 1648 z5687166.exe 83 PID 1648 wrote to memory of 404 1648 z5687166.exe 83 PID 1648 wrote to memory of 1532 1648 z5687166.exe 93 PID 1648 wrote to memory of 1532 1648 z5687166.exe 93 PID 1648 wrote to memory of 1532 1648 z5687166.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe"C:\Users\Admin\AppData\Local\Temp\f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5687166.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1980406.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3481787.exe3⤵
- Executes dropped EXE
PID:1532
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4996
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=27CDEA3A956A661428A5FE40944D67AB; domain=.bing.com; expires=Tue, 03-Jun-2025 12:12:08 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 16297F0DBABE46E39ABFDE3A7A51A027 Ref B: LON04EDGE0706 Ref C: 2024-05-09T12:12:08Z
date: Thu, 09 May 2024 12:12:08 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=27CDEA3A956A661428A5FE40944D67AB; _EDGE_S=SID=24045E89541264EB05BD4AF3556B654C
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=mtqiVTDgu6AiLBNT1hpRHIIby3O3PK1tYPI5Pk6VK64; domain=.bing.com; expires=Tue, 03-Jun-2025 12:12:09 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E827451C472F44D89D6FE18367D1B7C5 Ref B: LON04EDGE0706 Ref C: 2024-05-09T12:12:09Z
date: Thu, 09 May 2024 12:12:09 GMT
-
GEThttps://www.bing.com/aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038Remote address:88.221.83.178:443RequestGET /aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=27CDEA3A956A661428A5FE40944D67AB
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5634DE0DEE394C37AF78BA78BFB161ED Ref B: LON212050719039 Ref C: 2024-05-09T12:12:09Z
content-length: 0
date: Thu, 09 May 2024 12:12:09 GMT
set-cookie: _EDGE_S=SID=24045E89541264EB05BD4AF3556B654C; path=/; httponly; domain=bing.com
set-cookie: MUIDB=27CDEA3A956A661428A5FE40944D67AB; path=/; httponly; expires=Tue, 03-Jun-2025 12:12:09 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.ae53dd58.1715256729.32f943b1
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request178.83.221.88.in-addr.arpaIN PTRResponse178.83.221.88.in-addr.arpaIN PTRa88-221-83-178deploystaticakamaitechnologiescom
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:88.221.83.178:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=27CDEA3A956A661428A5FE40944D67AB; _EDGE_S=SID=24045E89541264EB05BD4AF3556B654C; MSPTC=mtqiVTDgu6AiLBNT1hpRHIIby3O3PK1tYPI5Pk6VK64; MUIDB=27CDEA3A956A661428A5FE40944D67AB
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 09 May 2024 12:12:10 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.ae53dd58.1715256730.32f94894
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F7594911ECBD409A8B5DB08B0BDB47B4 Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
date: Thu, 09 May 2024 12:13:45 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1842E5F482B444FF98F2F9BE07DB8740 Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
date: Thu, 09 May 2024 12:13:45 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EAED9E7342224FC499AAC30328FD92E2 Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
date: Thu, 09 May 2024 12:13:45 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2E7DF0EE57CD4262888CEC48244A3F7B Ref B: LON04EDGE0916 Ref C: 2024-05-09T12:13:46Z
date: Thu, 09 May 2024 12:13:45 GMT
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949tls, http22.5kB 9.0kB 20 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83knNBXHhuBTmMItAzB-eSDVUCUyF5zCu7_1wFkCKJYCBWPMFvYKmjarmx2U3QiMa8o14tsynD3a3K3Tq-sepTWwau_AhmFlLiEqjlAN71TLZOFJ0279DXCgx1hUblF0-lB9ocTjrE4bLz-yLyKUHC9PxVdAgrg38CS2zmRDWRk2zYEMY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D516bd29baf241dd3df6ab4b008f9144a&TIME=20240426T131125Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949HTTP Response
204 -
88.221.83.178:443https://www.bing.com/aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038tls, http21.5kB 5.4kB 17 12
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=6eb65b83be56465abec7a81ccfcc9722&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131125Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038HTTP Response
200 -
88.221.83.178:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.6kB 6.4kB 17 13
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
260 B 5
-
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
1.2kB 8.1kB 16 14
-
1.4kB 8.0kB 15 11
-
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http296.0kB 2.8MB 2053 2048
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
260 B 5
-
208 B 4
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
178.83.221.88.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD582508e684b0244b131384ad84bd736ed
SHA13c80d10f1bad612d93b99bfc4ab1407dba6c101d
SHA2562f9713625553da98a31d2c7cc5fa0ba1aafe7e56045cc660ab24e00c0b7eca4d
SHA51210b6232edc6c64acc7aab72a2c31bb8c8654bcc7c603b43321b9898a05d4abee803890b13951aadfc913e955781272485a7f74452c979fc576f4d6f20a179a8a
-
Filesize
14KB
MD5acf71ede3fa4498bb7397d170fa7f878
SHA1dd69c1172a9bf2f7d37b10a9fad59e1e1359c3ca
SHA256a093e4e6d1e4d36ac0a4d04ed691dd962d5a6cc576395d79680eb7dc46650d09
SHA512d7e45ef34b57273bf22af623e860fad167329dcb0d94feccda24d0d019b1bb7a8596162afefc6add472cf0fada895fcbb0febeb60e030006725ba9299ddc2355
-
Filesize
173KB
MD5bfb4ba8d200b626ae3d3a6d9ca32061b
SHA1d95ffa9926a751678bf632a7ccc558e1e8bfd0c5
SHA2569358dd428789b3d65d74482772d34eef690cad71a78453ded32673a5bebccf3f
SHA512c63c0198c363675e50866d3ac051c051ce53b758f364e66a15749422ce6efb1e689e68cb7c5936f64b4e5550623a16ffedc8ee84e553c78571f9db7a712fe3fe