Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 12:32 UTC

General

  • Target

    e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe

  • Size

    983KB

  • MD5

    195bac3e181550a1749e52bd3abfa2e1

  • SHA1

    4c44adf44e16bdb2d5891d0ca5534e25d8cd8811

  • SHA256

    e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd

  • SHA512

    7ac7714a302ee5d0a2592b1273fa20f3162a4c8e46519274b97bfed634a28fa461d19d212eb648b6c540bac10dc7d94b9651548d9d2bb3f58e39de1c4456a41b

  • SSDEEP

    12288:xNJJwXdk+4w8ea9YVhYu48bk0/jLvzVbJmeMIulognDsexGeMcQh:xNJodk+4wv+YVhYu4r6LvJFsngve6

Malware Config

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 320
      2⤵
      • Program crash
      PID:5080
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2256 -ip 2256
    1⤵
      PID:1768

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      pastebin.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      pastebin.com
      IN A
      Response
      pastebin.com
      IN A
      172.67.19.24
      pastebin.com
      IN A
      104.20.4.235
      pastebin.com
      IN A
      104.20.3.235
    • flag-us
      GET
      https://pastebin.com/raw/NgsUAPya
      RegAsm.exe
      Remote address:
      172.67.19.24:443
      Request
      GET /raw/NgsUAPya HTTP/1.1
      Host: pastebin.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 10 May 2024 12:33:30 GMT
      Content-Type: text/plain; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      x-frame-options: DENY
      x-content-type-options: nosniff
      x-xss-protection: 1;mode=block
      cache-control: public, max-age=1801
      CF-Cache-Status: HIT
      Age: 1071
      Last-Modified: Fri, 10 May 2024 12:15:39 GMT
      Server: cloudflare
      CF-RAY: 8819f542c9d69502-LHR
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.19.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.19.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      omnomnom.top
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      omnomnom.top
      IN A
      Response
      omnomnom.top
      IN A
      195.201.252.28
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_-P7cA9a2g6LBsmye3rdUTVUCUxZh5igz2E_3bdO1csVn86LKWlqJoru2yRhZQg-uowmw_j6dQPI1tBe9Ct6a-gejKmvAk2GmN8gQVLcY8iz-uu0Cm9JNsmg3IqN7hV_uOhhgshPh9e8WK-U2ndiD7GJATvdadqhlvfdVK7nj9_n5BSa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D678b230d80f81aa6e5bf4526293b6bd8&TIME=20240426T131931Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_-P7cA9a2g6LBsmye3rdUTVUCUxZh5igz2E_3bdO1csVn86LKWlqJoru2yRhZQg-uowmw_j6dQPI1tBe9Ct6a-gejKmvAk2GmN8gQVLcY8iz-uu0Cm9JNsmg3IqN7hV_uOhhgshPh9e8WK-U2ndiD7GJATvdadqhlvfdVK7nj9_n5BSa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D678b230d80f81aa6e5bf4526293b6bd8&TIME=20240426T131931Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=3A441E446C6765521D270A3F6DDC6412; domain=.bing.com; expires=Wed, 04-Jun-2025 12:33:31 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: DBB2AF3830E5430FAF2DF95B07513A9F Ref B: LON04EDGE0806 Ref C: 2024-05-10T12:33:31Z
      date: Fri, 10 May 2024 12:33:30 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_-P7cA9a2g6LBsmye3rdUTVUCUxZh5igz2E_3bdO1csVn86LKWlqJoru2yRhZQg-uowmw_j6dQPI1tBe9Ct6a-gejKmvAk2GmN8gQVLcY8iz-uu0Cm9JNsmg3IqN7hV_uOhhgshPh9e8WK-U2ndiD7GJATvdadqhlvfdVK7nj9_n5BSa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D678b230d80f81aa6e5bf4526293b6bd8&TIME=20240426T131931Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_-P7cA9a2g6LBsmye3rdUTVUCUxZh5igz2E_3bdO1csVn86LKWlqJoru2yRhZQg-uowmw_j6dQPI1tBe9Ct6a-gejKmvAk2GmN8gQVLcY8iz-uu0Cm9JNsmg3IqN7hV_uOhhgshPh9e8WK-U2ndiD7GJATvdadqhlvfdVK7nj9_n5BSa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D678b230d80f81aa6e5bf4526293b6bd8&TIME=20240426T131931Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3A441E446C6765521D270A3F6DDC6412; _EDGE_S=SID=2FB02980586466DB2BE33DFB592C676E
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=Cp18tr5aMeHOjQgYIhXJKV0QHDB7YqnDma7KLUq9mQ4; domain=.bing.com; expires=Wed, 04-Jun-2025 12:33:31 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E04F01D5574F44208DC8C75FD8708247 Ref B: LON04EDGE0806 Ref C: 2024-05-10T12:33:31Z
      date: Fri, 10 May 2024 12:33:30 GMT
    • flag-nl
      GET
      https://www.bing.com/aes/c.gif?RG=701fa118dd454aaf8c364d83986fc16c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131931Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
      Remote address:
      23.62.61.163:443
      Request
      GET /aes/c.gif?RG=701fa118dd454aaf8c364d83986fc16c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131931Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
      host: www.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3A441E446C6765521D270A3F6DDC6412
      Response
      HTTP/2.0 200
      cache-control: private,no-store
      pragma: no-cache
      vary: Origin
      p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 528277F2D3F54C34857E8197AA1F14A5 Ref B: BRU30EDGE0820 Ref C: 2024-05-10T12:33:31Z
      content-length: 0
      date: Fri, 10 May 2024 12:33:31 GMT
      set-cookie: _EDGE_S=SID=2FB02980586466DB2BE33DFB592C676E; path=/; httponly; domain=bing.com
      set-cookie: MUIDB=3A441E446C6765521D270A3F6DDC6412; path=/; httponly; expires=Wed, 04-Jun-2025 12:33:31 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.9f3d3e17.1715344411.1527671
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.252.201.195.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.252.201.195.in-addr.arpa
      IN PTR
      Response
      28.252.201.195.in-addr.arpa
      IN PTR
      static28252201195clients your-serverde
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      163.61.62.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      163.61.62.23.in-addr.arpa
      IN PTR
      Response
      163.61.62.23.in-addr.arpa
      IN PTR
      a23-62-61-163deploystaticakamaitechnologiescom
    • flag-nl
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      23.62.61.163:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      cookie: MUID=3A441E446C6765521D270A3F6DDC6412; _EDGE_S=SID=2FB02980586466DB2BE33DFB592C676E; MSPTC=Cp18tr5aMeHOjQgYIhXJKV0QHDB7YqnDma7KLUq9mQ4; MUIDB=3A441E446C6765521D270A3F6DDC6412
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Fri, 10 May 2024 12:33:33 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.9f3d3e17.1715344413.1527bec
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 464243
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 376DE3489ECB4740B034A295A059B589 Ref B: LON04EDGE1017 Ref C: 2024-05-10T12:35:11Z
      date: Fri, 10 May 2024 12:35:10 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 382817
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: FEBF7971683F43BCA16A0B64ACD294A1 Ref B: LON04EDGE1017 Ref C: 2024-05-10T12:35:11Z
      date: Fri, 10 May 2024 12:35:10 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 476246
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 8AE8A5742CFC49C7BD186C33BB4EEB6B Ref B: LON04EDGE1017 Ref C: 2024-05-10T12:35:11Z
      date: Fri, 10 May 2024 12:35:11 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 499516
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E8B3577170264340A2A00ECE9EBD5462 Ref B: LON04EDGE1017 Ref C: 2024-05-10T12:35:11Z
      date: Fri, 10 May 2024 12:35:10 GMT
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • 172.67.19.24:443
      https://pastebin.com/raw/NgsUAPya
      tls, http
      RegAsm.exe
      772 B
      5.7kB
      9
      9

      HTTP Request

      GET https://pastebin.com/raw/NgsUAPya

      HTTP Response

      200
    • 195.201.252.28:443
      omnomnom.top
      https
      RegAsm.exe
      2.7MB
      36.4kB
      1981
      722
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_-P7cA9a2g6LBsmye3rdUTVUCUxZh5igz2E_3bdO1csVn86LKWlqJoru2yRhZQg-uowmw_j6dQPI1tBe9Ct6a-gejKmvAk2GmN8gQVLcY8iz-uu0Cm9JNsmg3IqN7hV_uOhhgshPh9e8WK-U2ndiD7GJATvdadqhlvfdVK7nj9_n5BSa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D678b230d80f81aa6e5bf4526293b6bd8&TIME=20240426T131931Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
      tls, http2
      2.5kB
      9.0kB
      19
      17

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_-P7cA9a2g6LBsmye3rdUTVUCUxZh5igz2E_3bdO1csVn86LKWlqJoru2yRhZQg-uowmw_j6dQPI1tBe9Ct6a-gejKmvAk2GmN8gQVLcY8iz-uu0Cm9JNsmg3IqN7hV_uOhhgshPh9e8WK-U2ndiD7GJATvdadqhlvfdVK7nj9_n5BSa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D678b230d80f81aa6e5bf4526293b6bd8&TIME=20240426T131931Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_-P7cA9a2g6LBsmye3rdUTVUCUxZh5igz2E_3bdO1csVn86LKWlqJoru2yRhZQg-uowmw_j6dQPI1tBe9Ct6a-gejKmvAk2GmN8gQVLcY8iz-uu0Cm9JNsmg3IqN7hV_uOhhgshPh9e8WK-U2ndiD7GJATvdadqhlvfdVK7nj9_n5BSa%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D678b230d80f81aa6e5bf4526293b6bd8&TIME=20240426T131931Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

      HTTP Response

      204
    • 23.62.61.163:443
      https://www.bing.com/aes/c.gif?RG=701fa118dd454aaf8c364d83986fc16c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131931Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
      tls, http2
      1.5kB
      5.4kB
      17
      12

      HTTP Request

      GET https://www.bing.com/aes/c.gif?RG=701fa118dd454aaf8c364d83986fc16c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131931Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

      HTTP Response

      200
    • 23.62.61.163:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.7kB
      6.4kB
      18
      13

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      16
      13
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      68.2kB
      1.9MB
      1380
      1376

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      16
      14
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      pastebin.com
      dns
      RegAsm.exe
      58 B
      106 B
      1
      1

      DNS Request

      pastebin.com

      DNS Response

      172.67.19.24
      104.20.4.235
      104.20.3.235

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      24.19.67.172.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      24.19.67.172.in-addr.arpa

    • 8.8.8.8:53
      omnomnom.top
      dns
      RegAsm.exe
      58 B
      74 B
      1
      1

      DNS Request

      omnomnom.top

      DNS Response

      195.201.252.28

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      28.252.201.195.in-addr.arpa
      dns
      73 B
      131 B
      1
      1

      DNS Request

      28.252.201.195.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
      143 B
      1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      163.61.62.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      163.61.62.23.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      43.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      43.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      173 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2256-0-0x0000000000C66000-0x0000000000C67000-memory.dmp

      Filesize

      4KB

    • memory/3696-1-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

    • memory/3696-2-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

      Filesize

      4KB

    • memory/3696-3-0x0000000005710000-0x0000000005776000-memory.dmp

      Filesize

      408KB

    • memory/3696-4-0x00000000062A0000-0x00000000068B8000-memory.dmp

      Filesize

      6.1MB

    • memory/3696-5-0x0000000005CA0000-0x0000000005CB2000-memory.dmp

      Filesize

      72KB

    • memory/3696-6-0x0000000005DD0000-0x0000000005EDA000-memory.dmp

      Filesize

      1.0MB

    • memory/3696-7-0x0000000074F50000-0x0000000075700000-memory.dmp

      Filesize

      7.7MB

    • memory/3696-8-0x0000000006AC0000-0x0000000006AFC000-memory.dmp

      Filesize

      240KB

    • memory/3696-9-0x0000000006250000-0x000000000629C000-memory.dmp

      Filesize

      304KB

    • memory/3696-10-0x0000000006E10000-0x0000000006FD2000-memory.dmp

      Filesize

      1.8MB

    • memory/3696-11-0x0000000007510000-0x0000000007A3C000-memory.dmp

      Filesize

      5.2MB

    • memory/3696-12-0x0000000007FF0000-0x0000000008594000-memory.dmp

      Filesize

      5.6MB

    • memory/3696-13-0x0000000007180000-0x0000000007212000-memory.dmp

      Filesize

      584KB

    • memory/3696-14-0x0000000007060000-0x00000000070D6000-memory.dmp

      Filesize

      472KB

    • memory/3696-15-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

      Filesize

      120KB

    • memory/3696-16-0x0000000007B90000-0x0000000007BE0000-memory.dmp

      Filesize

      320KB

    • memory/3696-18-0x0000000074F50000-0x0000000075700000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.