Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1d059ca891...d4.exe

windows10-2004-x64

10

1d90edda9f...51.exe

windows7-x64

3

1d90edda9f...51.exe

windows10-2004-x64

10

1e44c41d8d...91.exe

windows10-2004-x64

10

1ed736973c...3e.exe

windows10-2004-x64

10

559234fc52...e2.exe

windows10-2004-x64

10

5a4570005d...a4.exe

windows7-x64

3

5a4570005d...a4.exe

windows10-2004-x64

10

61f1a776dc...62.exe

windows10-2004-x64

10

67045db960...01.exe

windows10-2004-x64

10

6d684b37ca...5c.exe

windows10-2004-x64

10

77cbabe9fe...cf.exe

windows7-x64

3

77cbabe9fe...cf.exe

windows10-2004-x64

10

8a73bb4899...c3.exe

windows10-2004-x64

10

8db3c27c31...88.exe

windows7-x64

3

8db3c27c31...88.exe

windows10-2004-x64

10

b72cfb2517...df.exe

windows10-2004-x64

10

c2ef692d84...7e.exe

windows7-x64

3

c2ef692d84...7e.exe

windows10-2004-x64

10

c39106a352...4e.exe

windows7-x64

10

c39106a352...4e.exe

windows10-2004-x64

10

ca6d56a637...da.exe

windows10-2004-x64

10

db14966ca7...cb.exe

windows7-x64

10

db14966ca7...cb.exe

windows10-2004-x64

10

e800205bb9...fd.exe

windows7-x64

3

e800205bb9...fd.exe

windows10-2004-x64

10

f8a2da44f9...41.exe

windows10-2004-x64

10

fc8b501a18...d3.exe

windows7-x64

3

fc8b501a18...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 12:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe

  • Size

    1.2MB

  • MD5

    178421ab07fbeb11767d3bda7c24a4d4

  • SHA1

    c2fda877254635b05fdda955b6a01651251ec00f

  • SHA256

    67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501

  • SHA512

    0a48c98fe000cd134b9712e2c812bf92523500b99190b9fe82d4f9e02a05305cabf37daf24ef0feffc5a0bee08d8c7a766c87a29f724652e523c95ef22a58ba2

  • SSDEEP

    24576:dyvPA4Sk2aRNRajD7T6B/M2+cjk3w3nz9KXwsvJO6ejg/vi6a:4H3SpaMmk2zk3GzglvoDA

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe
    "C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4100
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4792
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1340
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
            5⤵
            • Executes dropped EXE
            PID:4744

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Zu0BxSGwW_qmKnUgXjWcwjVUCUyWIgJdz2UpBSUdc1DZwzx0X_A1PrC3YccJR80kOsPxhnaN7bbTa94smOvSPfcRk0UtTdVCuA4LqWY6cfoJf6c1wQ52RRJjw-V5kJgiznsuBVxUOSQqzQQhoONBu4NxJ6SZJunHwovq7DdOE2_6GgQt%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dffb0d4f7a7161c2c6576b2ccc3488bf5&TIME=20240508T114007Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Zu0BxSGwW_qmKnUgXjWcwjVUCUyWIgJdz2UpBSUdc1DZwzx0X_A1PrC3YccJR80kOsPxhnaN7bbTa94smOvSPfcRk0UtTdVCuA4LqWY6cfoJf6c1wQ52RRJjw-V5kJgiznsuBVxUOSQqzQQhoONBu4NxJ6SZJunHwovq7DdOE2_6GgQt%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dffb0d4f7a7161c2c6576b2ccc3488bf5&TIME=20240508T114007Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1112555D12206D6329614126139B6CAD; domain=.bing.com; expires=Wed, 04-Jun-2025 12:31:37 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 99332DDB00324EF78CAA753F773A0839 Ref B: LON04EDGE0910 Ref C: 2024-05-10T12:31:37Z
    date: Fri, 10 May 2024 12:31:36 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Zu0BxSGwW_qmKnUgXjWcwjVUCUyWIgJdz2UpBSUdc1DZwzx0X_A1PrC3YccJR80kOsPxhnaN7bbTa94smOvSPfcRk0UtTdVCuA4LqWY6cfoJf6c1wQ52RRJjw-V5kJgiznsuBVxUOSQqzQQhoONBu4NxJ6SZJunHwovq7DdOE2_6GgQt%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dffb0d4f7a7161c2c6576b2ccc3488bf5&TIME=20240508T114007Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Zu0BxSGwW_qmKnUgXjWcwjVUCUyWIgJdz2UpBSUdc1DZwzx0X_A1PrC3YccJR80kOsPxhnaN7bbTa94smOvSPfcRk0UtTdVCuA4LqWY6cfoJf6c1wQ52RRJjw-V5kJgiznsuBVxUOSQqzQQhoONBu4NxJ6SZJunHwovq7DdOE2_6GgQt%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dffb0d4f7a7161c2c6576b2ccc3488bf5&TIME=20240508T114007Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1112555D12206D6329614126139B6CAD; _EDGE_S=SID=3B52C977B8A36A310BA7DD0CB9DA6BC3
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=9VFPItwduYw-EiOoHaf6qMNQWALKOJ3XZywtZIG6-js; domain=.bing.com; expires=Wed, 04-Jun-2025 12:31:37 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 15BD997F0EEE47B591AF41CD3A5CEB5A Ref B: LON04EDGE0910 Ref C: 2024-05-10T12:31:37Z
    date: Fri, 10 May 2024 12:31:36 GMT
  • flag-nl
    GET
    https://www.bing.com/aes/c.gif?RG=8752bb2618d14f318ae0e5e520760707&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114007Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    Remote address:
    23.62.61.113:443
    Request
    GET /aes/c.gif?RG=8752bb2618d14f318ae0e5e520760707&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114007Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1112555D12206D6329614126139B6CAD
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6C10D0BF645F4A5C88856B97AB8D80A7 Ref B: LON212050704037 Ref C: 2024-05-10T12:31:37Z
    content-length: 0
    date: Fri, 10 May 2024 12:31:37 GMT
    set-cookie: _EDGE_S=SID=3B52C977B8A36A310BA7DD0CB9DA6BC3; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=1112555D12206D6329614126139B6CAD; path=/; httponly; expires=Wed, 04-Jun-2025 12:31:37 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.6d3d3e17.1715344297.16894cc
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.113:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=1112555D12206D6329614126139B6CAD; _EDGE_S=SID=3B52C977B8A36A310BA7DD0CB9DA6BC3; MSPTC=9VFPItwduYw-EiOoHaf6qMNQWALKOJ3XZywtZIG6-js; MUIDB=1112555D12206D6329614126139B6CAD
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Fri, 10 May 2024 12:31:38 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.6d3d3e17.1715344298.168972a
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    113.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    113.61.62.23.in-addr.arpa
    IN PTR
    Response
    113.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-113deploystaticakamaitechnologiescom
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Zu0BxSGwW_qmKnUgXjWcwjVUCUyWIgJdz2UpBSUdc1DZwzx0X_A1PrC3YccJR80kOsPxhnaN7bbTa94smOvSPfcRk0UtTdVCuA4LqWY6cfoJf6c1wQ52RRJjw-V5kJgiznsuBVxUOSQqzQQhoONBu4NxJ6SZJunHwovq7DdOE2_6GgQt%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dffb0d4f7a7161c2c6576b2ccc3488bf5&TIME=20240508T114007Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    tls, http2
    2.5kB
     9.0kB
     19
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Zu0BxSGwW_qmKnUgXjWcwjVUCUyWIgJdz2UpBSUdc1DZwzx0X_A1PrC3YccJR80kOsPxhnaN7bbTa94smOvSPfcRk0UtTdVCuA4LqWY6cfoJf6c1wQ52RRJjw-V5kJgiznsuBVxUOSQqzQQhoONBu4NxJ6SZJunHwovq7DdOE2_6GgQt%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dffb0d4f7a7161c2c6576b2ccc3488bf5&TIME=20240508T114007Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Zu0BxSGwW_qmKnUgXjWcwjVUCUyWIgJdz2UpBSUdc1DZwzx0X_A1PrC3YccJR80kOsPxhnaN7bbTa94smOvSPfcRk0UtTdVCuA4LqWY6cfoJf6c1wQ52RRJjw-V5kJgiznsuBVxUOSQqzQQhoONBu4NxJ6SZJunHwovq7DdOE2_6GgQt%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dffb0d4f7a7161c2c6576b2ccc3488bf5&TIME=20240508T114007Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204
  • 23.62.61.113:443
    https://www.bing.com/aes/c.gif?RG=8752bb2618d14f318ae0e5e520760707&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114007Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    tls, http2
    1.4kB
     5.3kB
     16
    11

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=8752bb2618d14f318ae0e5e520760707&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114007Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

    HTTP Response

    200
  • 23.62.61.113:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
     6.4kB
     16
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 77.91.68.56:19071
    c4075312.exe
    260 B
     5
  • 77.91.68.56:19071
    c4075312.exe
    260 B
     5
  • 77.91.68.56:19071
    c4075312.exe
    260 B
     5
  • 77.91.68.56:19071
    c4075312.exe
    260 B
     5
  • 77.91.68.56:19071
    c4075312.exe
    260 B
     5
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    113.61.62.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    113.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    4.173.189.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
    Filesize

    1.0MB

    MD5

    2c2992bee297eb92a1c30c47f171520d

    SHA1

    1aa27a41eb69ed9a6ab90e36fcfb302fd0fd89af

    SHA256

    1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396

    SHA512

    efb5cd6594ce8dbc6635cc04210e5e362f0a3ae2c65d5bc161ec903cd96cd58ffaee72fef87fd72fd71e67e09cb7ee0255e82d9944940d6cdb96277f4eacbbb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
    Filesize

    908KB

    MD5

    e4759911e541d7a543ea033b0928ddf4

    SHA1

    e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f

    SHA256

    f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be

    SHA512

    7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
    Filesize

    724KB

    MD5

    f4f787db36502a2e05f39da6a313e914

    SHA1

    4f842c75ce854d86420f9790c47c81bdcecd7c5d

    SHA256

    3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588

    SHA512

    0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
    Filesize

    491KB

    MD5

    dd10174f7fa3d017558c8310bf07d851

    SHA1

    08d795a3d2334906da989e46a7e57d4ba9aa9f41

    SHA256

    cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604

    SHA512

    a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
    Filesize

    325KB

    MD5

    a11dbc01603450452854f17aa7ea1eef

    SHA1

    18436f7c4a7a4477c0baa93ddc108babce9491bf

    SHA256

    2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c

    SHA512

    1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
    Filesize

    294KB

    MD5

    175e3db636d9fd541cc11991815ea662

    SHA1

    c5e30c78f298c1aa26768bc036795e19ed7e60d7

    SHA256

    c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e

    SHA512

    06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
    Filesize

    11KB

    MD5

    06d9b8f9236b959006976da775fea5e7

    SHA1

    46d5c5e6a3e7de6138cd764509a6754ce24d9484

    SHA256

    77353ead4144432dfd0e8fc833c458c8b88fb5d6bf7c9818ac430be40983b7f5

    SHA512

    ec0c6135f2b39d70cb35bd713d5fd9a0876055b46584f3535067f0f162be149024770c990e61ee041eabe5d3daf53aac49e747bb96189c3fa17346774a5edc6d

    Download Submit

  • memory/1340-48-0x0000000000010000-0x000000000001A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4744-63-0x000000000A6C0000-0x000000000ACD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4744-53-0x0000000000610000-0x000000000069C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4744-60-0x0000000000610000-0x000000000069C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4744-62-0x00000000043A0000-0x00000000043A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4744-64-0x000000000A0A0000-0x000000000A1AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4744-65-0x000000000A1D0000-0x000000000A1E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4744-66-0x000000000A1F0000-0x000000000A22C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4744-67-0x000000000A260000-0x000000000A2AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4792-42-0x0000000004490000-0x0000000004491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4792-41-0x0000000000570000-0x00000000005AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4792-36-0x0000000000570000-0x00000000005AE000-memory.dmp

    Filesize

    248KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.