Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 12:29 UTC

General

  • Target

    1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe

  • Size

    514KB

  • MD5

    1942d1d3d93833f0a1d4f5381ce33a23

  • SHA1

    4056636db4625bb6b3fee03b4c1be992681affa9

  • SHA256

    1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e

  • SHA512

    a9569c93345b4565b8e9bd30a1b09400eaba1ddeb3fbcf00d53563d1ba34d4d6f4f5bba9ffe6852ff699de66e8177eab35ffc771741fd9d528e6802726aa3a6c

  • SSDEEP

    12288:SMrqy908fsn+JqW9WsGJPMj1kn4tBA6jmcRyqBq08:4yIEqwWsKmy4YikWJ8

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3788
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:432
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:748
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4076
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4008
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:4512
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:804
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:2440
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:852
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:2508
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:2272
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:3016
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
                  2⤵
                  • Executes dropped EXE
                  PID:3620
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:3588
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:2252

              Network

              • flag-us
                DNS
                g.bing.com
                Remote address:
                8.8.8.8:53
                Request
                g.bing.com
                IN A
                Response
                g.bing.com
                IN CNAME
                g-bing-com.dual-a-0034.a-msedge.net
                g-bing-com.dual-a-0034.a-msedge.net
                IN CNAME
                dual-a-0034.a-msedge.net
                dual-a-0034.a-msedge.net
                IN A
                204.79.197.237
                dual-a-0034.a-msedge.net
                IN A
                13.107.21.237
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vrK_DnSF5QqD_UBvVrjnXDVUCUxmMt7ydGaMKuK8ZvUNmEf473qZT2GeY5Tw7jlg5Aly87Hslk7ASfzwtXrvlA-KJxGLC1hAnmvp9-4jDGUEzCUS6I0m9_U6LXHUjr3lof5Xa7Bv2IS-0qMBZS5KvjDe25yQchg2AlnHXv3YAtRU1Nvm%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D227fa2e9a81a189b8df3c4c20775aaa6&TIME=20240426T134341Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vrK_DnSF5QqD_UBvVrjnXDVUCUxmMt7ydGaMKuK8ZvUNmEf473qZT2GeY5Tw7jlg5Aly87Hslk7ASfzwtXrvlA-KJxGLC1hAnmvp9-4jDGUEzCUS6I0m9_U6LXHUjr3lof5Xa7Bv2IS-0qMBZS5KvjDe25yQchg2AlnHXv3YAtRU1Nvm%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D227fa2e9a81a189b8df3c4c20775aaa6&TIME=20240426T134341Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MUID=3EB891775A6B62A2394C850C5B8B6391; domain=.bing.com; expires=Wed, 04-Jun-2025 12:30:25 GMT; path=/; SameSite=None; Secure; Priority=High;
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: A017E9E1039349E3808E7B406A5A6C33 Ref B: LON04EDGE1022 Ref C: 2024-05-10T12:30:25Z
                date: Fri, 10 May 2024 12:30:24 GMT
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vrK_DnSF5QqD_UBvVrjnXDVUCUxmMt7ydGaMKuK8ZvUNmEf473qZT2GeY5Tw7jlg5Aly87Hslk7ASfzwtXrvlA-KJxGLC1hAnmvp9-4jDGUEzCUS6I0m9_U6LXHUjr3lof5Xa7Bv2IS-0qMBZS5KvjDe25yQchg2AlnHXv3YAtRU1Nvm%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D227fa2e9a81a189b8df3c4c20775aaa6&TIME=20240426T134341Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vrK_DnSF5QqD_UBvVrjnXDVUCUxmMt7ydGaMKuK8ZvUNmEf473qZT2GeY5Tw7jlg5Aly87Hslk7ASfzwtXrvlA-KJxGLC1hAnmvp9-4jDGUEzCUS6I0m9_U6LXHUjr3lof5Xa7Bv2IS-0qMBZS5KvjDe25yQchg2AlnHXv3YAtRU1Nvm%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D227fa2e9a81a189b8df3c4c20775aaa6&TIME=20240426T134341Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=3EB891775A6B62A2394C850C5B8B6391; _EDGE_S=SID=1E278085C2D36E093F2094FEC3AA6F81
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MSPTC=_jpgjWJ_07V_OzE6VMrN8QFVjMcDfN7aMYhvYgssZKQ; domain=.bing.com; expires=Wed, 04-Jun-2025 12:30:25 GMT; path=/; Partitioned; secure; SameSite=None
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 052ED6DD7EE14C059EE0D80DD3EB7D22 Ref B: LON04EDGE1022 Ref C: 2024-05-10T12:30:25Z
                date: Fri, 10 May 2024 12:30:25 GMT
              • flag-us
                DNS
                183.142.211.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                183.142.211.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                237.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                237.197.79.204.in-addr.arpa
                IN PTR
                Response
              • flag-nl
                GET
                https://www.bing.com/aes/c.gif?RG=62a4302904fb46a89c8bcbaa2f7191e5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134341Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
                Remote address:
                23.62.61.113:443
                Request
                GET /aes/c.gif?RG=62a4302904fb46a89c8bcbaa2f7191e5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134341Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
                host: www.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=3EB891775A6B62A2394C850C5B8B6391
                Response
                HTTP/2.0 200
                cache-control: private,no-store
                pragma: no-cache
                vary: Origin
                p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 5CE29558B72A4E23A25DA5266A8173F5 Ref B: LON212050704023 Ref C: 2024-05-10T12:30:25Z
                content-length: 0
                date: Fri, 10 May 2024 12:30:25 GMT
                set-cookie: _EDGE_S=SID=1E278085C2D36E093F2094FEC3AA6F81; path=/; httponly; domain=bing.com
                set-cookie: MUIDB=3EB891775A6B62A2394C850C5B8B6391; path=/; httponly; expires=Wed, 04-Jun-2025 12:30:25 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.6d3d3e17.1715344225.167b321
              • flag-us
                DNS
                172.210.232.199.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                172.210.232.199.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                113.61.62.23.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                113.61.62.23.in-addr.arpa
                IN PTR
                Response
                113.61.62.23.in-addr.arpa
                IN PTR
                a23-62-61-113deploystaticakamaitechnologiescom
              • flag-us
                DNS
                76.32.126.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                76.32.126.40.in-addr.arpa
                IN PTR
                Response
              • flag-nl
                GET
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                Remote address:
                23.62.61.113:443
                Request
                GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                host: www.bing.com
                accept: */*
                cookie: MUID=3EB891775A6B62A2394C850C5B8B6391; _EDGE_S=SID=1E278085C2D36E093F2094FEC3AA6F81; MSPTC=_jpgjWJ_07V_OzE6VMrN8QFVjMcDfN7aMYhvYgssZKQ; MUIDB=3EB891775A6B62A2394C850C5B8B6391
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-type: image/png
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                content-length: 1107
                date: Fri, 10 May 2024 12:30:27 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.6d3d3e17.1715344227.167b9f8
              • flag-us
                DNS
                43.58.199.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                43.58.199.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                88.156.103.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                88.156.103.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                104.219.191.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                104.219.191.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                13.227.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                13.227.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 476246
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 09569B57B9F1458CB66FE8EE19AC7E01 Ref B: LON04EDGE0719 Ref C: 2024-05-10T12:32:00Z
                date: Fri, 10 May 2024 12:31:59 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 464243
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: E06773BFEE704C93B88E44CB382432BA Ref B: LON04EDGE0719 Ref C: 2024-05-10T12:32:00Z
                date: Fri, 10 May 2024 12:31:59 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 499516
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 8587CB81F31641B0BEAF2D04DD4E5369 Ref B: LON04EDGE0719 Ref C: 2024-05-10T12:32:00Z
                date: Fri, 10 May 2024 12:31:59 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 382817
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 8BEE3243D71349CB84DEC89E38E3BD26 Ref B: LON04EDGE0719 Ref C: 2024-05-10T12:32:00Z
                date: Fri, 10 May 2024 12:31:59 GMT
              • flag-us
                DNS
                25.73.42.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                25.73.42.20.in-addr.arpa
                IN PTR
                Response
              • 204.79.197.237:443
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vrK_DnSF5QqD_UBvVrjnXDVUCUxmMt7ydGaMKuK8ZvUNmEf473qZT2GeY5Tw7jlg5Aly87Hslk7ASfzwtXrvlA-KJxGLC1hAnmvp9-4jDGUEzCUS6I0m9_U6LXHUjr3lof5Xa7Bv2IS-0qMBZS5KvjDe25yQchg2AlnHXv3YAtRU1Nvm%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D227fa2e9a81a189b8df3c4c20775aaa6&TIME=20240426T134341Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
                tls, http2
                2.5kB
                9.0kB
                20
                17

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vrK_DnSF5QqD_UBvVrjnXDVUCUxmMt7ydGaMKuK8ZvUNmEf473qZT2GeY5Tw7jlg5Aly87Hslk7ASfzwtXrvlA-KJxGLC1hAnmvp9-4jDGUEzCUS6I0m9_U6LXHUjr3lof5Xa7Bv2IS-0qMBZS5KvjDe25yQchg2AlnHXv3YAtRU1Nvm%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D227fa2e9a81a189b8df3c4c20775aaa6&TIME=20240426T134341Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

                HTTP Response

                204

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vrK_DnSF5QqD_UBvVrjnXDVUCUxmMt7ydGaMKuK8ZvUNmEf473qZT2GeY5Tw7jlg5Aly87Hslk7ASfzwtXrvlA-KJxGLC1hAnmvp9-4jDGUEzCUS6I0m9_U6LXHUjr3lof5Xa7Bv2IS-0qMBZS5KvjDe25yQchg2AlnHXv3YAtRU1Nvm%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D227fa2e9a81a189b8df3c4c20775aaa6&TIME=20240426T134341Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

                HTTP Response

                204
              • 23.62.61.113:443
                https://www.bing.com/aes/c.gif?RG=62a4302904fb46a89c8bcbaa2f7191e5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134341Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
                tls, http2
                1.4kB
                5.3kB
                16
                11

                HTTP Request

                GET https://www.bing.com/aes/c.gif?RG=62a4302904fb46a89c8bcbaa2f7191e5&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134341Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

                HTTP Response

                200
              • 23.62.61.113:443
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                tls, http2
                1.6kB
                6.4kB
                17
                12

                HTTP Request

                GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                HTTP Response

                200
              • 77.91.68.56:19071
                d3489522.exe
                260 B
                5
              • 77.91.68.3:80
                danke.exe
                260 B
                5
              • 77.91.68.56:19071
                d3489522.exe
                260 B
                5
              • 77.91.68.3:80
                danke.exe
                260 B
                5
              • 77.91.68.56:19071
                d3489522.exe
                260 B
                5
              • 77.91.68.3:80
                danke.exe
                260 B
                5
              • 77.91.68.56:19071
                d3489522.exe
                260 B
                5
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                tls, http2
                66.4kB
                1.9MB
                1376
                1370

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 77.91.68.3:80
                danke.exe
                260 B
                5
              • 77.91.68.56:19071
                d3489522.exe
                260 B
                5
              • 77.91.68.3:80
                danke.exe
                208 B
                4
              • 77.91.68.56:19071
                d3489522.exe
                208 B
                4
              • 8.8.8.8:53
                g.bing.com
                dns
                56 B
                151 B
                1
                1

                DNS Request

                g.bing.com

                DNS Response

                204.79.197.237
                13.107.21.237

              • 8.8.8.8:53
                183.142.211.20.in-addr.arpa
                dns
                73 B
                159 B
                1
                1

                DNS Request

                183.142.211.20.in-addr.arpa

              • 8.8.8.8:53
                237.197.79.204.in-addr.arpa
                dns
                73 B
                143 B
                1
                1

                DNS Request

                237.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                172.210.232.199.in-addr.arpa
                dns
                74 B
                128 B
                1
                1

                DNS Request

                172.210.232.199.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                113.61.62.23.in-addr.arpa
                dns
                71 B
                135 B
                1
                1

                DNS Request

                113.61.62.23.in-addr.arpa

              • 8.8.8.8:53
                76.32.126.40.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                76.32.126.40.in-addr.arpa

              • 8.8.8.8:53
                43.58.199.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                43.58.199.20.in-addr.arpa

              • 8.8.8.8:53
                88.156.103.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                88.156.103.20.in-addr.arpa

              • 8.8.8.8:53
                104.219.191.52.in-addr.arpa
                dns
                73 B
                147 B
                1
                1

                DNS Request

                104.219.191.52.in-addr.arpa

              • 8.8.8.8:53
                13.227.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                13.227.111.52.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              • 8.8.8.8:53
                25.73.42.20.in-addr.arpa
                dns
                70 B
                156 B
                1
                1

                DNS Request

                25.73.42.20.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe

                Filesize

                174KB

                MD5

                fd61776b34b5a58e732533da17d122d0

                SHA1

                336015c059047a658ea57b6ebe49418d23a65593

                SHA256

                64faeec435f51816cff0efdacc9e777d677400fd7a59bc1e037a24ec7ae7cb4b

                SHA512

                afbd9465a721b8e447359c88451f9525ecc5f3aedf79be424b49d4a93d5921797854471257fb1f1ea7d967e56d54aec7b712773875f92fd4335e5a12afd4fc68

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe

                Filesize

                359KB

                MD5

                e5fee7b57e9630eb6cbe1861cb6d1a82

                SHA1

                de69d6c77a4db78be5c7239199528da46bd4a9b9

                SHA256

                e7da30afc9870af8478dffe8cb7c3517dbcd725d83d3c9e7435cc5bcfaa1a76d

                SHA512

                c7af1fd9383094548929920e18b2adeb6d07fded702fc748f557d913ad8521c666e419aee611d994ec94154830967e39d797a98ba0cd18ab10548ce85f6a02ba

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe

                Filesize

                31KB

                MD5

                c4c414d786976435cb8561c43d8dc57d

                SHA1

                fd73133d3509d1a6982b000a75b9dbdc7769ec22

                SHA256

                129a6c5e5a8d98619b5be3818dfde6bab9c5345171d9d8401b886fed0660817a

                SHA512

                744106f95b8f57ea59e2906a7cbaf2e1a172cee013be12f0752b3308c428f92f9824a2497f3fced82d9124d3ab52448d3b240889fdad26925e710aa47f67b028

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe

                Filesize

                235KB

                MD5

                b3f0cfa1b2d4fab75074fe1a7b426ebb

                SHA1

                61d950a5d649826b8b646453df4398cdd56189b9

                SHA256

                0bd882b9fd1549e5b281cbaa19a8a2a2952a03219737db0af5cadf4e817c0561

                SHA512

                0141c9f835859df5fa0d8a04d010482961a693bada72d57e60677ee84b79bc86e59b523b3a4f9168fb240a815d9f80fbba05cc0d5f5a7f7d0415d0eabef699d0

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe

                Filesize

                13KB

                MD5

                c9767fb557c8496da35f32149019f254

                SHA1

                dc206616148aad4e06dd3fb380d34b4ba15a9c6d

                SHA256

                d039e2510d33b0cca9b9d06c2be8152c5e126660c7860649dd966e1a7b375e9c

                SHA512

                f9c225248b0a8f9766b936694f71b347a0f006110928d26717d886d6b78f1b9ea3b3518a3123004cb20c4d4ffa5eb394bd169641163b297046a967f1ac9c4445

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe

                Filesize

                225KB

                MD5

                9728e9852854da025b4314bd0fd3687c

                SHA1

                6a87c09c8e29b6ca1c336416088f12cce0c206f8

                SHA256

                2c0f306d091f752e409e8bcbe20934ffa23430a90dea79c62aff27ee1b3035cf

                SHA512

                23df44bd9f5ae665f2d4c320603162b1d98b30b5610e99b5a9082843d76f0a6444e83e1c1792c2febf20d771b297777af8faa0403ba80f2f3f8b1c487abf7144

              • memory/3016-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/3620-47-0x0000000005020000-0x000000000512A000-memory.dmp

                Filesize

                1.0MB

              • memory/3620-44-0x0000000000570000-0x00000000005A0000-memory.dmp

                Filesize

                192KB

              • memory/3620-45-0x0000000002810000-0x0000000002816000-memory.dmp

                Filesize

                24KB

              • memory/3620-46-0x0000000005530000-0x0000000005B48000-memory.dmp

                Filesize

                6.1MB

              • memory/3620-48-0x0000000004F10000-0x0000000004F22000-memory.dmp

                Filesize

                72KB

              • memory/3620-49-0x0000000004F70000-0x0000000004FAC000-memory.dmp

                Filesize

                240KB

              • memory/3620-50-0x0000000004FB0000-0x0000000004FFC000-memory.dmp

                Filesize

                304KB

              • memory/3788-21-0x0000000000C40000-0x0000000000C4A000-memory.dmp

                Filesize

                40KB

              • memory/3788-22-0x00007FFE62A33000-0x00007FFE62A35000-memory.dmp

                Filesize

                8KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.