Analysis

  • max time kernel
    143s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 14:47 UTC

General

  • Target

    e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe

  • Size

    983KB

  • MD5

    195bac3e181550a1749e52bd3abfa2e1

  • SHA1

    4c44adf44e16bdb2d5891d0ca5534e25d8cd8811

  • SHA256

    e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd

  • SHA512

    7ac7714a302ee5d0a2592b1273fa20f3162a4c8e46519274b97bfed634a28fa461d19d212eb648b6c540bac10dc7d94b9651548d9d2bb3f58e39de1c4456a41b

  • SSDEEP

    12288:xNJJwXdk+4w8ea9YVhYu48bk0/jLvzVbJmeMIulognDsexGeMcQh:xNJodk+4wv+YVhYu4r6LvJFsngve6

Malware Config

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4876
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 320
      2⤵
      • Program crash
      PID:4724
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
    1⤵
      PID:1008

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      pastebin.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      pastebin.com
      IN A
      Response
      pastebin.com
      IN A
      104.20.4.235
      pastebin.com
      IN A
      104.20.3.235
      pastebin.com
      IN A
      172.67.19.24
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      GET
      https://pastebin.com/raw/NgsUAPya
      RegAsm.exe
      Remote address:
      104.20.4.235:443
      Request
      GET /raw/NgsUAPya HTTP/1.1
      Host: pastebin.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 09 May 2024 14:48:49 GMT
      Content-Type: text/plain; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      x-frame-options: DENY
      x-content-type-options: nosniff
      x-xss-protection: 1;mode=block
      cache-control: public, max-age=1801
      CF-Cache-Status: HIT
      Age: 1153
      Last-Modified: Thu, 09 May 2024 14:29:36 GMT
      Server: cloudflare
      CF-RAY: 88127e1bfa7760e1-LHR
    • flag-us
      DNS
      omnomnom.top
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      omnomnom.top
      IN A
      Response
      omnomnom.top
      IN A
      195.201.252.28
    • flag-us
      DNS
      235.4.20.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      235.4.20.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EPujeoNLfUMK-pKwSfoU9DVUCUxmyjCvimivWTFCu7RA_hbP_ubnBmdmPXwsEwV4rM3MSjVfODCgnkdZF_dVsR8IW98K9DF65WQYl6_sIgQGmrx21zjIKOmfMY-Nwd3yfSVs5ua6AgAl5rZkKQZoplO6qicHJaY5b8b-jUcIUBM2yqr_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D56ec5ff269761bf6dbcd39d9c0986224&TIME=20240426T132013Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EPujeoNLfUMK-pKwSfoU9DVUCUxmyjCvimivWTFCu7RA_hbP_ubnBmdmPXwsEwV4rM3MSjVfODCgnkdZF_dVsR8IW98K9DF65WQYl6_sIgQGmrx21zjIKOmfMY-Nwd3yfSVs5ua6AgAl5rZkKQZoplO6qicHJaY5b8b-jUcIUBM2yqr_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D56ec5ff269761bf6dbcd39d9c0986224&TIME=20240426T132013Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=346BFDD5F8D1621C01CCE9AFF9316318; domain=.bing.com; expires=Tue, 03-Jun-2025 14:48:50 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 5A3D85D3AB3B425F85CA58AB468C69FA Ref B: LON04EDGE1021 Ref C: 2024-05-09T14:48:50Z
      date: Thu, 09 May 2024 14:48:49 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EPujeoNLfUMK-pKwSfoU9DVUCUxmyjCvimivWTFCu7RA_hbP_ubnBmdmPXwsEwV4rM3MSjVfODCgnkdZF_dVsR8IW98K9DF65WQYl6_sIgQGmrx21zjIKOmfMY-Nwd3yfSVs5ua6AgAl5rZkKQZoplO6qicHJaY5b8b-jUcIUBM2yqr_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D56ec5ff269761bf6dbcd39d9c0986224&TIME=20240426T132013Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EPujeoNLfUMK-pKwSfoU9DVUCUxmyjCvimivWTFCu7RA_hbP_ubnBmdmPXwsEwV4rM3MSjVfODCgnkdZF_dVsR8IW98K9DF65WQYl6_sIgQGmrx21zjIKOmfMY-Nwd3yfSVs5ua6AgAl5rZkKQZoplO6qicHJaY5b8b-jUcIUBM2yqr_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D56ec5ff269761bf6dbcd39d9c0986224&TIME=20240426T132013Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=346BFDD5F8D1621C01CCE9AFF9316318; _EDGE_S=SID=1358B5DE0FEF68741D8AA1A40EB869EB
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=RKNVCTN6ieuQuDV_F46eAvHP0Q9KRM5ckIuOa4Zrn1g; domain=.bing.com; expires=Tue, 03-Jun-2025 14:48:51 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4A35959E96964A8EBA8F328085E2D7C0 Ref B: LON04EDGE1021 Ref C: 2024-05-09T14:48:51Z
      date: Thu, 09 May 2024 14:48:50 GMT
    • flag-be
      GET
      https://www.bing.com/aes/c.gif?RG=c5370ae406cc483083167ce2a7f95559&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132013Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984
      Remote address:
      2.17.107.106:443
      Request
      GET /aes/c.gif?RG=c5370ae406cc483083167ce2a7f95559&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132013Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984 HTTP/2.0
      host: www.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=346BFDD5F8D1621C01CCE9AFF9316318
      Response
      HTTP/2.0 200
      cache-control: private,no-store
      pragma: no-cache
      vary: Origin
      p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4E3E82A51F56486CAD8B9B993A234FA7 Ref B: AMS04EDGE1207 Ref C: 2024-05-09T14:48:51Z
      content-length: 0
      date: Thu, 09 May 2024 14:48:51 GMT
      set-cookie: _EDGE_S=SID=1358B5DE0FEF68741D8AA1A40EB869EB; path=/; httponly; domain=bing.com
      set-cookie: MUIDB=346BFDD5F8D1621C01CCE9AFF9316318; path=/; httponly; expires=Tue, 03-Jun-2025 14:48:51 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.666b1102.1715266131.4944426
    • flag-us
      DNS
      28.252.201.195.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.252.201.195.in-addr.arpa
      IN PTR
      Response
      28.252.201.195.in-addr.arpa
      IN PTR
      static28252201195clients your-serverde
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      106.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      106.107.17.2.in-addr.arpa
      IN PTR
      Response
      106.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-106deploystaticakamaitechnologiescom
    • flag-us
      DNS
      57.169.31.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.169.31.20.in-addr.arpa
      IN PTR
      Response
    • flag-be
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      2.17.107.106:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      cookie: MUID=346BFDD5F8D1621C01CCE9AFF9316318; _EDGE_S=SID=1358B5DE0FEF68741D8AA1A40EB869EB; MSPTC=RKNVCTN6ieuQuDV_F46eAvHP0Q9KRM5ckIuOa4Zrn1g; MUIDB=346BFDD5F8D1621C01CCE9AFF9316318
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Thu, 09 May 2024 14:48:53 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.666b1102.1715266133.4944b32
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      65.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      65.139.73.23.in-addr.arpa
      IN PTR
      Response
      65.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-65deploystaticakamaitechnologiescom
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      37.56.20.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      37.56.20.217.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      45.19.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      45.19.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 381531
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A5E0C655C5F54F239303523FE601C0C4 Ref B: LON04EDGE1110 Ref C: 2024-05-09T14:50:31Z
      date: Thu, 09 May 2024 14:50:30 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 329579
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0A390E560C1245FBB43B2ED412A31CCB Ref B: LON04EDGE1110 Ref C: 2024-05-09T14:50:31Z
      date: Thu, 09 May 2024 14:50:30 GMT
    • 104.20.4.235:443
      https://pastebin.com/raw/NgsUAPya
      tls, http
      RegAsm.exe
      772 B
      5.7kB
      9
      9

      HTTP Request

      GET https://pastebin.com/raw/NgsUAPya

      HTTP Response

      200
    • 195.201.252.28:443
      omnomnom.top
      https
      RegAsm.exe
      3.9MB
      61.9kB
      2833
      1279
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EPujeoNLfUMK-pKwSfoU9DVUCUxmyjCvimivWTFCu7RA_hbP_ubnBmdmPXwsEwV4rM3MSjVfODCgnkdZF_dVsR8IW98K9DF65WQYl6_sIgQGmrx21zjIKOmfMY-Nwd3yfSVs5ua6AgAl5rZkKQZoplO6qicHJaY5b8b-jUcIUBM2yqr_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D56ec5ff269761bf6dbcd39d9c0986224&TIME=20240426T132013Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
      tls, http2
      2.5kB
      9.0kB
      20
      17

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EPujeoNLfUMK-pKwSfoU9DVUCUxmyjCvimivWTFCu7RA_hbP_ubnBmdmPXwsEwV4rM3MSjVfODCgnkdZF_dVsR8IW98K9DF65WQYl6_sIgQGmrx21zjIKOmfMY-Nwd3yfSVs5ua6AgAl5rZkKQZoplO6qicHJaY5b8b-jUcIUBM2yqr_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D56ec5ff269761bf6dbcd39d9c0986224&TIME=20240426T132013Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8EPujeoNLfUMK-pKwSfoU9DVUCUxmyjCvimivWTFCu7RA_hbP_ubnBmdmPXwsEwV4rM3MSjVfODCgnkdZF_dVsR8IW98K9DF65WQYl6_sIgQGmrx21zjIKOmfMY-Nwd3yfSVs5ua6AgAl5rZkKQZoplO6qicHJaY5b8b-jUcIUBM2yqr_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D56ec5ff269761bf6dbcd39d9c0986224&TIME=20240426T132013Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

      HTTP Response

      204
    • 2.17.107.106:443
      https://www.bing.com/aes/c.gif?RG=c5370ae406cc483083167ce2a7f95559&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132013Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984
      tls, http2
      1.5kB
      5.4kB
      17
      11

      HTTP Request

      GET https://www.bing.com/aes/c.gif?RG=c5370ae406cc483083167ce2a7f95559&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132013Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

      HTTP Response

      200
    • 2.17.107.106:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.6kB
      6.4kB
      17
      13

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      16
      14
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      tls, http2
      25.9kB
      743.7kB
      546
      544

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      pastebin.com
      dns
      RegAsm.exe
      58 B
      106 B
      1
      1

      DNS Request

      pastebin.com

      DNS Response

      104.20.4.235
      104.20.3.235
      172.67.19.24

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      omnomnom.top
      dns
      RegAsm.exe
      58 B
      74 B
      1
      1

      DNS Request

      omnomnom.top

      DNS Response

      195.201.252.28

    • 8.8.8.8:53
      235.4.20.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      235.4.20.104.in-addr.arpa

    • 8.8.8.8:53
      75.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      75.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      28.252.201.195.in-addr.arpa
      dns
      73 B
      131 B
      1
      1

      DNS Request

      28.252.201.195.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
      143 B
      1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      106.107.17.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      106.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      57.169.31.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      57.169.31.20.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      65.139.73.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      65.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      37.56.20.217.in-addr.arpa
      dns
      71 B
      131 B
      1
      1

      DNS Request

      37.56.20.217.in-addr.arpa

    • 8.8.8.8:53
      45.19.74.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      45.19.74.20.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      173 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2984-0-0x0000000000196000-0x0000000000197000-memory.dmp

      Filesize

      4KB

    • memory/4876-1-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

    • memory/4876-2-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

      Filesize

      4KB

    • memory/4876-3-0x00000000057A0000-0x0000000005806000-memory.dmp

      Filesize

      408KB

    • memory/4876-4-0x00000000062E0000-0x00000000068F8000-memory.dmp

      Filesize

      6.1MB

    • memory/4876-5-0x0000000005D20000-0x0000000005D32000-memory.dmp

      Filesize

      72KB

    • memory/4876-6-0x0000000005E50000-0x0000000005F5A000-memory.dmp

      Filesize

      1.0MB

    • memory/4876-7-0x0000000074DB0000-0x0000000075560000-memory.dmp

      Filesize

      7.7MB

    • memory/4876-8-0x0000000006B40000-0x0000000006B7C000-memory.dmp

      Filesize

      240KB

    • memory/4876-9-0x0000000006B80000-0x0000000006BCC000-memory.dmp

      Filesize

      304KB

    • memory/4876-10-0x0000000006E90000-0x0000000007052000-memory.dmp

      Filesize

      1.8MB

    • memory/4876-11-0x0000000007590000-0x0000000007ABC000-memory.dmp

      Filesize

      5.2MB

    • memory/4876-12-0x0000000008070000-0x0000000008614000-memory.dmp

      Filesize

      5.6MB

    • memory/4876-13-0x0000000007060000-0x00000000070F2000-memory.dmp

      Filesize

      584KB

    • memory/4876-14-0x0000000007100000-0x0000000007176000-memory.dmp

      Filesize

      472KB

    • memory/4876-15-0x0000000006E60000-0x0000000006E7E000-memory.dmp

      Filesize

      120KB

    • memory/4876-16-0x00000000074A0000-0x00000000074F0000-memory.dmp

      Filesize

      320KB

    • memory/4876-18-0x0000000074DB0000-0x0000000075560000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.