Overview
overview
10Static
static
30cc30df7f6...35.exe
windows10-2004-x64
101208df4133...ab.exe
windows10-2004-x64
102d6ce3858d...b0.exe
windows7-x64
32d6ce3858d...b0.exe
windows10-2004-x64
103a484bb7d4...29.exe
windows10-2004-x64
103e36cb02ee...9a.exe
windows10-2004-x64
103f3ae36481...68.exe
windows7-x64
13f3ae36481...68.exe
windows10-2004-x64
14be1f370e8...6b.exe
windows7-x64
34be1f370e8...6b.exe
windows10-2004-x64
1054ca5c456c...76.exe
windows10-2004-x64
106aa8d5d0d6...df.exe
windows10-2004-x64
108db6f54494...1f.exe
windows10-2004-x64
10b07c30e9c2...0f.exe
windows10-2004-x64
10b62068be50...da.exe
windows10-2004-x64
10c1c526ed2a...52.exe
windows10-2004-x64
10cd9de412cd...04.exe
windows7-x64
10cd9de412cd...04.exe
windows10-2004-x64
10dce60a71ca...cc.exe
windows10-2004-x64
e25842dbe6...9e.exe
windows10-2004-x64
10f358ce518b...e2.exe
windows10-2004-x64
9f5bf417643...17.exe
windows7-x64
3f5bf417643...17.exe
windows10-2004-x64
10f6dc0b4c65...d6.exe
windows10-2004-x64
10f8dfa98c4e...be.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 18:07 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
54ca5c456ca4541c7a54027ae67295d9bdec93f29d76b9e8ab36e1fd52b1b876.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be.exe
Resource
win10v2004-20240426-en
General
-
Target
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
-
Size
308KB
-
MD5
d5f61fc6a8c52e0a93619aa88abf0823
-
SHA1
e8ab904b74f798424102a1739f810f09f1987d60
-
SHA256
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df
-
SHA512
3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f
-
SSDEEP
6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral12/memory/4636-8-0x0000000002190000-0x00000000021AA000-memory.dmp healer behavioral12/memory/4636-12-0x0000000004990000-0x00000000049A8000-memory.dmp healer behavioral12/memory/4636-29-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-41-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-39-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-37-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-35-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-33-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-31-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-27-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-25-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-23-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-21-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-19-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-17-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-15-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-14-0x0000000004990000-0x00000000049A2000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k6912702.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k6912702.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral12/files/0x000700000002343a-44.dat family_redline behavioral12/memory/4940-47-0x0000000000190000-0x00000000001B8000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 4636 k6912702.exe 4940 l1624569.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k6912702.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4636 k6912702.exe 4636 k6912702.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4636 k6912702.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4636 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 83 PID 3148 wrote to memory of 4636 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 83 PID 3148 wrote to memory of 4636 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 83 PID 3148 wrote to memory of 4940 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 87 PID 3148 wrote to memory of 4940 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 87 PID 3148 wrote to memory of 4940 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe"C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe2⤵
- Executes dropped EXE
PID:4940
-
Network
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request31.121.18.2.in-addr.arpaIN PTRResponse31.121.18.2.in-addr.arpaIN PTRa2-18-121-31deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request134.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21; domain=.bing.com; expires=Tue, 03-Jun-2025 18:09:37 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 83CE1F9764B24CFF81B1F96621A25085 Ref B: LON04EDGE0608 Ref C: 2024-05-09T18:09:37Z
date: Thu, 09 May 2024 18:09:37 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21; _EDGE_S=SID=37123A620B90612A0B942E180A33602A
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=L-i2aB3V39czV05ixYy3Md-0DGq9VTPW5wmXYXEohq8; domain=.bing.com; expires=Tue, 03-Jun-2025 18:09:38 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1BB6CE3B9A0548DC86E154DD87992A07 Ref B: LON04EDGE0608 Ref C: 2024-05-09T18:09:38Z
date: Thu, 09 May 2024 18:09:38 GMT
-
GEThttps://www.bing.com/aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189Remote address:88.221.83.240:443RequestGET /aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4ED8CA087E7F499398A88CD14315C1C3 Ref B: AMS04EDGE1619 Ref C: 2024-05-09T18:09:38Z
content-length: 0
date: Thu, 09 May 2024 18:09:38 GMT
set-cookie: _EDGE_S=SID=37123A620B90612A0B942E180A33602A; path=/; httponly; domain=bing.com
set-cookie: MUIDB=2EF9B55B15FD6FE711C8A12114DA6E21; path=/; httponly; expires=Tue, 03-Jun-2025 18:09:38 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.ec53dd58.1715278178.87eec76
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CA0784E207804D409A732570E3A28D64 Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
date: Thu, 09 May 2024 18:09:38 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BE3CD890E92D457EB999762A634A0A63 Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
date: Thu, 09 May 2024 18:09:38 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 158E1628CBAF450B949BED93D6B8A53C Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
date: Thu, 09 May 2024 18:09:38 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 56C06F0AE1324D0B82A22E20321E4970 Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
date: Thu, 09 May 2024 18:09:38 GMT
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:88.221.83.240:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21; _EDGE_S=SID=37123A620B90612A0B942E180A33602A; MSPTC=L-i2aB3V39czV05ixYy3Md-0DGq9VTPW5wmXYXEohq8; MUIDB=2EF9B55B15FD6FE711C8A12114DA6E21
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 09 May 2024 18:09:38 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.ec53dd58.1715278178.87eee4e
-
Remote address:8.8.8.8:53Request240.83.221.88.in-addr.arpaIN PTRResponse240.83.221.88.in-addr.arpaIN PTRa88-221-83-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55tls, http22.5kB 9.0kB 19 16
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55HTTP Response
204 -
88.221.83.240:443https://www.bing.com/aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189tls, http21.5kB 5.4kB 17 12
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189HTTP Response
200 -
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http288.7kB 2.6MB 1893 1888
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 8.1kB 16 13
-
1.2kB 8.0kB 16 12
-
1.2kB 8.0kB 16 12
-
88.221.83.240:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.6kB 6.4kB 17 13
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
260 B 5
-
208 B 4
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
31.121.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
134.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
240.83.221.88.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ddacfe0ab3780ff5989c3f2c32e681cd
SHA1ffeeedaf65d9e6d3634d263d6a42a703777d567e
SHA2563206d9f91f805541bfe3ef067f2b41572a9c7c558db98e8473bb5d7dde6bca05
SHA512bfd8c9a4909bdeca40450a24570fe6031a7c23cc2586c913f944ba2242121b8aad3133fcdbaf55546a50302fbd0894229becc12f4d721848903a5f29aa88e13f
-
Filesize
136KB
MD5100120265e59b27a64574c737cd3dd59
SHA16d525c91ab327ab0fa09dd23e50fb11198d0c8f0
SHA25620e7be4a67709e8af75acd6d7f91f7818e1b85e7cc10690c9904f968f207c46b
SHA512203545141f943c1e5d81b2c105a0db41a49eb9fec335e8bb7cfd63529cfc50a9ce8a7dc49b5059ad7dd7b135a6796dd5c7665b31c6a916a2ccdab31edf08bee4