Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 18:07 UTC

General

  • Target

    6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe

  • Size

    308KB

  • MD5

    d5f61fc6a8c52e0a93619aa88abf0823

  • SHA1

    e8ab904b74f798424102a1739f810f09f1987d60

  • SHA256

    6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

  • SHA512

    3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f

  • SSDEEP

    6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
    "C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4636
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe
      2⤵
      • Executes dropped EXE
      PID:4940

Network

  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.121.18.2.in-addr.arpa
    IN PTR
    Response
    31.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-31deploystaticakamaitechnologiescom
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21; domain=.bing.com; expires=Tue, 03-Jun-2025 18:09:37 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 83CE1F9764B24CFF81B1F96621A25085 Ref B: LON04EDGE0608 Ref C: 2024-05-09T18:09:37Z
    date: Thu, 09 May 2024 18:09:37 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21; _EDGE_S=SID=37123A620B90612A0B942E180A33602A
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=L-i2aB3V39czV05ixYy3Md-0DGq9VTPW5wmXYXEohq8; domain=.bing.com; expires=Tue, 03-Jun-2025 18:09:38 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1BB6CE3B9A0548DC86E154DD87992A07 Ref B: LON04EDGE0608 Ref C: 2024-05-09T18:09:38Z
    date: Thu, 09 May 2024 18:09:38 GMT
  • flag-be
    GET
    https://www.bing.com/aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
    Remote address:
    88.221.83.240:443
    Request
    GET /aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4ED8CA087E7F499398A88CD14315C1C3 Ref B: AMS04EDGE1619 Ref C: 2024-05-09T18:09:38Z
    content-length: 0
    date: Thu, 09 May 2024 18:09:38 GMT
    set-cookie: _EDGE_S=SID=37123A620B90612A0B942E180A33602A; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=2EF9B55B15FD6FE711C8A12114DA6E21; path=/; httponly; expires=Tue, 03-Jun-2025 18:09:38 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.ec53dd58.1715278178.87eec76
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 555746
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CA0784E207804D409A732570E3A28D64 Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
    date: Thu, 09 May 2024 18:09:38 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 659775
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BE3CD890E92D457EB999762A634A0A63 Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
    date: Thu, 09 May 2024 18:09:38 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 638730
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 158E1628CBAF450B949BED93D6B8A53C Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
    date: Thu, 09 May 2024 18:09:38 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 621794
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 56C06F0AE1324D0B82A22E20321E4970 Ref B: LON04EDGE0716 Ref C: 2024-05-09T18:09:38Z
    date: Thu, 09 May 2024 18:09:38 GMT
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.83.240:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=2EF9B55B15FD6FE711C8A12114DA6E21; _EDGE_S=SID=37123A620B90612A0B942E180A33602A; MSPTC=L-i2aB3V39czV05ixYy3Md-0DGq9VTPW5wmXYXEohq8; MUIDB=2EF9B55B15FD6FE711C8A12114DA6E21
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 09 May 2024 18:09:38 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.ec53dd58.1715278178.87eee4e
  • flag-us
    DNS
    240.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.83.221.88.in-addr.arpa
    IN PTR
    Response
    240.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • 77.91.124.251:19069
    l1624569.exe
    260 B
    5
  • 77.91.124.251:19069
    l1624569.exe
    260 B
    5
  • 77.91.124.251:19069
    l1624569.exe
    260 B
    5
  • 77.91.124.251:19069
    l1624569.exe
    260 B
    5
  • 77.91.124.251:19069
    l1624569.exe
    260 B
    5
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
    tls, http2
    2.5kB
    9.0kB
    19
    16

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QbfsYXjv38iPTapr_DqBGTVUCUxUAyprF-656wjLiCfGA5B8IGrXcVTaNKhB6SMGjIw9OHpVQo2dsBCDzSYPdR4lxPLu0b2slgFBshT-PxKEMgzVc2FZVavPwPqr2O3g5CPbs2blf_EJTMLtSk1dPE_f-fQPJtCl2H2lr8TzI28uVEHY%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2ec46c545dbc1e8c81780a7fee845a2c&TIME=20240509T180902Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

    HTTP Response

    204
  • 88.221.83.240:443
    https://www.bing.com/aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
    tls, http2
    1.5kB
    5.4kB
    17
    12

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=cf3f11186fd9431a8a85a4c297e7a8dd&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240509T180902Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

    HTTP Response

    200
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    88.7kB
    2.6MB
    1893
    1888

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    13
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.0kB
    16
    12
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.0kB
    16
    12
  • 88.221.83.240:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
    6.4kB
    17
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 77.91.124.251:19069
    l1624569.exe
    260 B
    5
  • 77.91.124.251:19069
    l1624569.exe
    208 B
    4
  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    31.121.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    31.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    240.83.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    240.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
    106 B
    1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe

    Filesize

    175KB

    MD5

    ddacfe0ab3780ff5989c3f2c32e681cd

    SHA1

    ffeeedaf65d9e6d3634d263d6a42a703777d567e

    SHA256

    3206d9f91f805541bfe3ef067f2b41572a9c7c558db98e8473bb5d7dde6bca05

    SHA512

    bfd8c9a4909bdeca40450a24570fe6031a7c23cc2586c913f944ba2242121b8aad3133fcdbaf55546a50302fbd0894229becc12f4d721848903a5f29aa88e13f

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe

    Filesize

    136KB

    MD5

    100120265e59b27a64574c737cd3dd59

    SHA1

    6d525c91ab327ab0fa09dd23e50fb11198d0c8f0

    SHA256

    20e7be4a67709e8af75acd6d7f91f7818e1b85e7cc10690c9904f968f207c46b

    SHA512

    203545141f943c1e5d81b2c105a0db41a49eb9fec335e8bb7cfd63529cfc50a9ce8a7dc49b5059ad7dd7b135a6796dd5c7665b31c6a916a2ccdab31edf08bee4

  • memory/4636-29-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-21-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-10-0x00000000049F0000-0x0000000004F94000-memory.dmp

    Filesize

    5.6MB

  • memory/4636-11-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4636-12-0x0000000004990000-0x00000000049A8000-memory.dmp

    Filesize

    96KB

  • memory/4636-13-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4636-8-0x0000000002190000-0x00000000021AA000-memory.dmp

    Filesize

    104KB

  • memory/4636-41-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-39-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-37-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-35-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-33-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-31-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-27-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-9-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4636-25-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-17-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-19-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-23-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-15-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-14-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

  • memory/4636-43-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4636-7-0x000000007454E000-0x000000007454F000-memory.dmp

    Filesize

    4KB

  • memory/4940-48-0x0000000074510000-0x00000000745BB000-memory.dmp

    Filesize

    684KB

  • memory/4940-47-0x0000000000190000-0x00000000001B8000-memory.dmp

    Filesize

    160KB

  • memory/4940-49-0x0000000007490000-0x0000000007AA8000-memory.dmp

    Filesize

    6.1MB

  • memory/4940-50-0x0000000006EF0000-0x0000000006F02000-memory.dmp

    Filesize

    72KB

  • memory/4940-51-0x0000000007020000-0x000000000712A000-memory.dmp

    Filesize

    1.0MB

  • memory/4940-52-0x0000000006F80000-0x0000000006FBC000-memory.dmp

    Filesize

    240KB

  • memory/4940-53-0x0000000002340000-0x000000000238C000-memory.dmp

    Filesize

    304KB

  • memory/4940-54-0x0000000074510000-0x00000000745BB000-memory.dmp

    Filesize

    684KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.