Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:29

General

  • Target

    71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe

  • Size

    390KB

  • MD5

    0f6e9123147c19f2467905401e618e1b

  • SHA1

    917abbb6f211d4a7662c8f05947e799452691601

  • SHA256

    71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80

  • SHA512

    151241129262e3de028e744556aa0ae408c5b469996892abd32ddd41dc86bc2a0e496e4bf2ed07c6a8cadff7643e3f0bc9b501eff36dd2b4a90b7ffef1e67e1f

  • SSDEEP

    6144:Kvy+bnr+Kp0yN90QEH1EEZn+h2FJ3GVHY+M0NoAsjLSTJHAcihT9/2U8sC2dQ:RMruy90cETW4YdJHnihTcU9BdQ

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
1
a091ec0a6e22276a96a99c1d34ef679c

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
    "C:\Users\Admin\AppData\Local\Temp\71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
          "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:3396
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1328
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:4284
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "legola.exe" /P "Admin:N"
                6⤵
                  PID:4420
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "legola.exe" /P "Admin:R" /E
                  6⤵
                    PID:1684
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:1140
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\ebb444342c" /P "Admin:N"
                      6⤵
                        PID:1500
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\ebb444342c" /P "Admin:R" /E
                        6⤵
                          PID:2088
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4764
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:1272
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:2000
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:2140

              Network

              • flag-us
                DNS
                8.8.8.8.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.8.8.8.in-addr.arpa
                IN PTR
                Response
                8.8.8.8.in-addr.arpa
                IN PTR
                dnsgoogle
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 442324
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: C6F99BA007BD447BB0DEE360E92B5F87 Ref B: LON04EDGE1015 Ref C: 2024-05-09T14:29:35Z
                date: Thu, 09 May 2024 14:29:34 GMT
              • flag-us
                DNS
                g.bing.com
                Remote address:
                8.8.8.8:53
                Request
                g.bing.com
                IN A
                Response
                g.bing.com
                IN CNAME
                g-bing-com.dual-a-0034.a-msedge.net
                g-bing-com.dual-a-0034.a-msedge.net
                IN CNAME
                dual-a-0034.a-msedge.net
                dual-a-0034.a-msedge.net
                IN A
                204.79.197.237
                dual-a-0034.a-msedge.net
                IN A
                13.107.21.237
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TaOuXqNhdRPd6EPJ5o4mLDVUCUyp2hN5Q3LC76qDMz5ly0yVQIH5YdRybDWiCE1URm7BBJsUhPagDLK0OKIsQPBb_p36ggkaS-95xsKuEExgSJJGhjZHVbDcPtklnSiQ0YX0LyCflcMWN0A7mAaM2xMeGzKKpRsCyZZeASf5B6LzTLMX%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D02f74ab6dbf31e039dd62c9d7d33ae4c&TIME=20240426T130637Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TaOuXqNhdRPd6EPJ5o4mLDVUCUyp2hN5Q3LC76qDMz5ly0yVQIH5YdRybDWiCE1URm7BBJsUhPagDLK0OKIsQPBb_p36ggkaS-95xsKuEExgSJJGhjZHVbDcPtklnSiQ0YX0LyCflcMWN0A7mAaM2xMeGzKKpRsCyZZeASf5B6LzTLMX%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D02f74ab6dbf31e039dd62c9d7d33ae4c&TIME=20240426T130637Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MUID=3662CC16CEFB68FA3D7BD86CCF1B69C3; domain=.bing.com; expires=Tue, 03-Jun-2025 14:29:35 GMT; path=/; SameSite=None; Secure; Priority=High;
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: B48E92627B5548758B5CEE04899AC38F Ref B: LON04EDGE1120 Ref C: 2024-05-09T14:29:35Z
                date: Thu, 09 May 2024 14:29:34 GMT
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TaOuXqNhdRPd6EPJ5o4mLDVUCUyp2hN5Q3LC76qDMz5ly0yVQIH5YdRybDWiCE1URm7BBJsUhPagDLK0OKIsQPBb_p36ggkaS-95xsKuEExgSJJGhjZHVbDcPtklnSiQ0YX0LyCflcMWN0A7mAaM2xMeGzKKpRsCyZZeASf5B6LzTLMX%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D02f74ab6dbf31e039dd62c9d7d33ae4c&TIME=20240426T130637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TaOuXqNhdRPd6EPJ5o4mLDVUCUyp2hN5Q3LC76qDMz5ly0yVQIH5YdRybDWiCE1URm7BBJsUhPagDLK0OKIsQPBb_p36ggkaS-95xsKuEExgSJJGhjZHVbDcPtklnSiQ0YX0LyCflcMWN0A7mAaM2xMeGzKKpRsCyZZeASf5B6LzTLMX%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D02f74ab6dbf31e039dd62c9d7d33ae4c&TIME=20240426T130637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=3662CC16CEFB68FA3D7BD86CCF1B69C3; _EDGE_S=SID=15A0863AC6CE6BC5301D9240C7236A5D
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MSPTC=sNCSoBNVXfMuegnzmUFxVLzC6QoaT8tZJO77-zbNq8E; domain=.bing.com; expires=Tue, 03-Jun-2025 14:29:35 GMT; path=/; Partitioned; secure; SameSite=None
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 5120119EDF8149FA93E4D88DF36C0212 Ref B: LON04EDGE1120 Ref C: 2024-05-09T14:29:35Z
                date: Thu, 09 May 2024 14:29:35 GMT
              • flag-be
                GET
                https://www.bing.com/aes/c.gif?RG=b07042b53bef406dbadfad1c89d9298f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130637Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984
                Remote address:
                2.17.107.107:443
                Request
                GET /aes/c.gif?RG=b07042b53bef406dbadfad1c89d9298f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130637Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984 HTTP/2.0
                host: www.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=3662CC16CEFB68FA3D7BD86CCF1B69C3
                Response
                HTTP/2.0 200
                cache-control: private,no-store
                pragma: no-cache
                vary: Origin
                p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 52222269B7CD48CCB9CFAB2315BAF3D6 Ref B: AMS04EDGE3616 Ref C: 2024-05-09T14:29:35Z
                content-length: 0
                date: Thu, 09 May 2024 14:29:35 GMT
                set-cookie: _EDGE_S=SID=15A0863AC6CE6BC5301D9240C7236A5D; path=/; httponly; domain=bing.com
                set-cookie: MUIDB=3662CC16CEFB68FA3D7BD86CCF1B69C3; path=/; httponly; expires=Tue, 03-Jun-2025 14:29:35 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.676b1102.1715264975.e1071f0
              • flag-us
                DNS
                79.190.18.2.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                79.190.18.2.in-addr.arpa
                IN PTR
                Response
                79.190.18.2.in-addr.arpa
                IN PTR
                a2-18-190-79deploystaticakamaitechnologiescom
              • flag-us
                DNS
                58.55.71.13.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                58.55.71.13.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                200.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                200.197.79.204.in-addr.arpa
                IN PTR
                Response
                200.197.79.204.in-addr.arpa
                IN PTR
                a-0001a-msedgenet
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                237.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                237.197.79.204.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                107.107.17.2.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                107.107.17.2.in-addr.arpa
                IN PTR
                Response
                107.107.17.2.in-addr.arpa
                IN PTR
                a2-17-107-107deploystaticakamaitechnologiescom
              • flag-us
                DNS
                76.32.126.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                76.32.126.40.in-addr.arpa
                IN PTR
                Response
              • flag-be
                GET
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                Remote address:
                2.17.107.107:443
                Request
                GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                host: www.bing.com
                accept: */*
                cookie: MUID=3662CC16CEFB68FA3D7BD86CCF1B69C3; _EDGE_S=SID=15A0863AC6CE6BC5301D9240C7236A5D; MSPTC=sNCSoBNVXfMuegnzmUFxVLzC6QoaT8tZJO77-zbNq8E; MUIDB=3662CC16CEFB68FA3D7BD86CCF1B69C3
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-type: image/png
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                content-length: 1107
                date: Thu, 09 May 2024 14:29:37 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.676b1102.1715264977.e107ba4
              • flag-us
                DNS
                26.35.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.35.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                172.210.232.199.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                172.210.232.199.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                88.156.103.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                88.156.103.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                228.249.119.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                228.249.119.40.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                14.227.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                14.227.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 792794
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 2983078E67ED475BAC2429502D632FBB Ref B: LON04EDGE0614 Ref C: 2024-05-09T14:31:11Z
                date: Thu, 09 May 2024 14:31:10 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 430689
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 2070CA2E783A438D89A1E92D972529EA Ref B: LON04EDGE0614 Ref C: 2024-05-09T14:31:11Z
                date: Thu, 09 May 2024 14:31:10 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 627437
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 8A99FF716F4D4FE78D658EB83E962A4A Ref B: LON04EDGE0614 Ref C: 2024-05-09T14:31:11Z
                date: Thu, 09 May 2024 14:31:10 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 415458
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 6491319931374F81A6F9123639D908B4 Ref B: LON04EDGE0614 Ref C: 2024-05-09T14:31:11Z
                date: Thu, 09 May 2024 14:31:10 GMT
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                tls, http2
                18.4kB
                465.9kB
                351
                347

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Response

                200
              • 204.79.197.237:443
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TaOuXqNhdRPd6EPJ5o4mLDVUCUyp2hN5Q3LC76qDMz5ly0yVQIH5YdRybDWiCE1URm7BBJsUhPagDLK0OKIsQPBb_p36ggkaS-95xsKuEExgSJJGhjZHVbDcPtklnSiQ0YX0LyCflcMWN0A7mAaM2xMeGzKKpRsCyZZeASf5B6LzTLMX%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D02f74ab6dbf31e039dd62c9d7d33ae4c&TIME=20240426T130637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6
                tls, http2
                2.5kB
                9.0kB
                20
                17

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TaOuXqNhdRPd6EPJ5o4mLDVUCUyp2hN5Q3LC76qDMz5ly0yVQIH5YdRybDWiCE1URm7BBJsUhPagDLK0OKIsQPBb_p36ggkaS-95xsKuEExgSJJGhjZHVbDcPtklnSiQ0YX0LyCflcMWN0A7mAaM2xMeGzKKpRsCyZZeASf5B6LzTLMX%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D02f74ab6dbf31e039dd62c9d7d33ae4c&TIME=20240426T130637Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

                HTTP Response

                204

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TaOuXqNhdRPd6EPJ5o4mLDVUCUyp2hN5Q3LC76qDMz5ly0yVQIH5YdRybDWiCE1URm7BBJsUhPagDLK0OKIsQPBb_p36ggkaS-95xsKuEExgSJJGhjZHVbDcPtklnSiQ0YX0LyCflcMWN0A7mAaM2xMeGzKKpRsCyZZeASf5B6LzTLMX%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D02f74ab6dbf31e039dd62c9d7d33ae4c&TIME=20240426T130637Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

                HTTP Response

                204
              • 2.17.107.107:443
                https://www.bing.com/aes/c.gif?RG=b07042b53bef406dbadfad1c89d9298f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130637Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984
                tls, http2
                1.4kB
                5.4kB
                16
                12

                HTTP Request

                GET https://www.bing.com/aes/c.gif?RG=b07042b53bef406dbadfad1c89d9298f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130637Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

                HTTP Response

                200
              • 2.17.107.107:443
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                tls, http2
                1.6kB
                6.4kB
                17
                12

                HTTP Request

                GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                HTTP Response

                200
              • 77.91.124.84:19071
                t7168966.exe
                260 B
                5
              • 5.42.92.67:80
                legola.exe
                260 B
                5
              • 77.91.124.84:19071
                t7168966.exe
                260 B
                5
              • 5.42.92.67:80
                legola.exe
                260 B
                5
              • 77.91.124.84:19071
                t7168966.exe
                260 B
                5
              • 5.42.92.67:80
                legola.exe
                260 B
                5
              • 77.91.124.84:19071
                t7168966.exe
                260 B
                5
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                tls, http2
                83.7kB
                2.4MB
                1712
                1710

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200
              • 77.91.124.84:19071
                t7168966.exe
                260 B
                5
              • 77.91.124.84:19071
                t7168966.exe
                208 B
                4
              • 8.8.8.8:53
                8.8.8.8.in-addr.arpa
                dns
                66 B
                90 B
                1
                1

                DNS Request

                8.8.8.8.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              • 8.8.8.8:53
                g.bing.com
                dns
                56 B
                151 B
                1
                1

                DNS Request

                g.bing.com

                DNS Response

                204.79.197.237
                13.107.21.237

              • 8.8.8.8:53
                79.190.18.2.in-addr.arpa
                dns
                70 B
                133 B
                1
                1

                DNS Request

                79.190.18.2.in-addr.arpa

              • 8.8.8.8:53
                58.55.71.13.in-addr.arpa
                dns
                70 B
                144 B
                1
                1

                DNS Request

                58.55.71.13.in-addr.arpa

              • 8.8.8.8:53
                200.197.79.204.in-addr.arpa
                dns
                73 B
                106 B
                1
                1

                DNS Request

                200.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                237.197.79.204.in-addr.arpa
                dns
                73 B
                143 B
                1
                1

                DNS Request

                237.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                107.107.17.2.in-addr.arpa
                dns
                71 B
                135 B
                1
                1

                DNS Request

                107.107.17.2.in-addr.arpa

              • 8.8.8.8:53
                76.32.126.40.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                76.32.126.40.in-addr.arpa

              • 8.8.8.8:53
                26.35.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                26.35.223.20.in-addr.arpa

              • 8.8.8.8:53
                172.210.232.199.in-addr.arpa
                dns
                74 B
                128 B
                1
                1

                DNS Request

                172.210.232.199.in-addr.arpa

              • 8.8.8.8:53
                88.156.103.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                88.156.103.20.in-addr.arpa

              • 8.8.8.8:53
                228.249.119.40.in-addr.arpa
                dns
                73 B
                159 B
                1
                1

                DNS Request

                228.249.119.40.in-addr.arpa

              • 8.8.8.8:53
                14.227.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                14.227.111.52.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe

                Filesize

                174KB

                MD5

                8d389d073b2beebc6758e4426950acf1

                SHA1

                418b296c120f7d03a8fda12546f84abefe101bd7

                SHA256

                22052d0b22cb9fbf76cc9ce7d73630aae6709880c857d6c86e9297ba8728117c

                SHA512

                6382aa3ed4aec88b3ada0e001f8cca4d7ffeedb20650d4b63ce78dbad373d5b265954116604525e35af177b7cc0f729783560f20b04d0f8c90c76962ee277e27

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe

                Filesize

                234KB

                MD5

                5cc11266b3d8b9fdfb73c46b6929c50c

                SHA1

                7a8b5a32269f1785a749a7f0577c2d9600fd9c84

                SHA256

                423dbbd7bdf741d19877d057fc05252d1464e68636e988bebd460e214986416b

                SHA512

                9b2fa4a88c467a2499c453505cdfdbf6fe22374d67e8ba4b45fa1da8594f126b155dbffcb9f2546b88814262feea677fc394ed36283172e88f80fc3ea85477fc

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe

                Filesize

                13KB

                MD5

                5e9cb39b7fd0110e2b07b5bb53e46943

                SHA1

                78f74fd61257827ed4a010d04705431203e6ed37

                SHA256

                b45d8a5bdba93cfa6879367d146f3b62e17ea91d99bd28cd5598ba67b832a9f8

                SHA512

                aa50da7eb3806f572b4bd41ab3d857ab7a8ba6e1296e27c8c04f350220292cd01cf8b7e04535177943789f10fd6640a03cbd097e562bad5d08d710f407d0376a

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe

                Filesize

                224KB

                MD5

                b5b873d143037f6f5b0f786292fcaf34

                SHA1

                052639c3611d2df6b849e4da83b2bbebc978e8f0

                SHA256

                6d7d3363c6f6c7615e0106f45c36038ad4949ad828b8b549f28184f60a5c7767

                SHA512

                4f5047de6a84fd5e883a3c6bd8de5d995add661379c48bbdbd8758a7eef447ba7d08974fe70ccd7eac06e5adcc9f887c887d9e83cff9328269f35abf8cc37a2d

              • memory/2652-14-0x0000000000600000-0x000000000060A000-memory.dmp

                Filesize

                40KB

              • memory/2652-15-0x00007FFF636C3000-0x00007FFF636C5000-memory.dmp

                Filesize

                8KB

              • memory/4764-33-0x0000000000770000-0x00000000007A0000-memory.dmp

                Filesize

                192KB

              • memory/4764-34-0x0000000000F70000-0x0000000000F76000-memory.dmp

                Filesize

                24KB

              • memory/4764-35-0x00000000057D0000-0x0000000005DE8000-memory.dmp

                Filesize

                6.1MB

              • memory/4764-36-0x00000000052C0000-0x00000000053CA000-memory.dmp

                Filesize

                1.0MB

              • memory/4764-37-0x0000000004FF0000-0x0000000005002000-memory.dmp

                Filesize

                72KB

              • memory/4764-38-0x0000000005050000-0x000000000508C000-memory.dmp

                Filesize

                240KB

              • memory/4764-39-0x00000000051B0000-0x00000000051FC000-memory.dmp

                Filesize

                304KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.