Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 13:06 UTC

General

  • Target

    bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe

  • Size

    828KB

  • MD5

    2a32d9865596340119086b9e9d7407d7

  • SHA1

    cd4daf419b213c6a34241bb7a791f2b59f4d80d8

  • SHA256

    bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

  • SHA512

    2bcd417c9bc9e1cd1fb0a63dc62fa1599b78f7ea6b3205f2b6c9b5b9f805183b80318fd0f9ff4dd3ca8b55dfafab6cfd8300c638c97e22269904362434e001b8

  • SSDEEP

    24576:9y4zSdEWEkPt03UTE04CiNCAFab9dmcZgf:Y4OEW2rCiUAYJn

Malware Config

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe
    "C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4652
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
                PID:4396
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 156
                6⤵
                • Program crash
                PID:2528
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:5100
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
                6⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2508
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 148
                6⤵
                • Program crash
                PID:4696
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
            4⤵
            • Executes dropped EXE
            PID:4836
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4652 -ip 4652
      1⤵
        PID:1568
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5100 -ip 5100
        1⤵
          PID:2540

        Network

        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=0C01FDDDF0A064F4307BE9A6F1406502; domain=.bing.com; expires=Wed, 04-Jun-2025 13:06:26 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 7D4328F9E60B48499D32012E2D3402B9 Ref B: LON04EDGE1016 Ref C: 2024-05-10T13:06:26Z
          date: Fri, 10 May 2024 13:06:25 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=0C01FDDDF0A064F4307BE9A6F1406502; _EDGE_S=SID=041082CBEE1E6E9A18DD96B0EFB46F03
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=XiORb2lT78zUBO1tGd5hhw-CSOSz1SGtTnmkXEwSOjM; domain=.bing.com; expires=Wed, 04-Jun-2025 13:06:27 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 3DE4DB2B76B2403592B8D3B9B0953C6C Ref B: LON04EDGE1016 Ref C: 2024-05-10T13:06:27Z
          date: Fri, 10 May 2024 13:06:26 GMT
        • flag-nl
          GET
          https://www.bing.com/aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182
          Remote address:
          23.62.61.155:443
          Request
          GET /aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
          host: www.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=0C01FDDDF0A064F4307BE9A6F1406502
          Response
          HTTP/2.0 200
          cache-control: private,no-store
          pragma: no-cache
          vary: Origin
          p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: E25C77A5D4C54D19AB4F99F333455EA8 Ref B: DUS30EDGE0710 Ref C: 2024-05-10T13:06:27Z
          content-length: 0
          date: Fri, 10 May 2024 13:06:27 GMT
          set-cookie: _EDGE_S=SID=041082CBEE1E6E9A18DD96B0EFB46F03; path=/; httponly; domain=bing.com
          set-cookie: MUIDB=0C01FDDDF0A064F4307BE9A6F1406502; path=/; httponly; expires=Wed, 04-Jun-2025 13:06:27 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.973d3e17.1715346387.1fd59c0
        • flag-us
          DNS
          64.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          64.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.35.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.35.223.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-nl
          GET
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          Remote address:
          23.62.61.155:443
          Request
          GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
          host: www.bing.com
          accept: */*
          cookie: MUID=0C01FDDDF0A064F4307BE9A6F1406502; _EDGE_S=SID=041082CBEE1E6E9A18DD96B0EFB46F03; MSPTC=XiORb2lT78zUBO1tGd5hhw-CSOSz1SGtTnmkXEwSOjM; MUIDB=0C01FDDDF0A064F4307BE9A6F1406502
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-type: image/png
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          content-length: 1107
          date: Fri, 10 May 2024 13:06:27 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.973d3e17.1715346387.1fd5c62
        • flag-us
          DNS
          155.61.62.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          155.61.62.23.in-addr.arpa
          IN PTR
          Response
          155.61.62.23.in-addr.arpa
          IN PTR
          a23-62-61-155deploystaticakamaitechnologiescom
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          56.126.166.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          56.126.166.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          139.53.16.96.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          139.53.16.96.in-addr.arpa
          IN PTR
          Response
          139.53.16.96.in-addr.arpa
          IN PTR
          a96-16-53-139deploystaticakamaitechnologiescom
        • flag-us
          DNS
          77.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          77.190.18.2.in-addr.arpa
          IN PTR
          Response
          77.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-77deploystaticakamaitechnologiescom
        • flag-us
          DNS
          28.173.189.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.173.189.20.in-addr.arpa
          IN PTR
          Response
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
          tls, http2
          2.6kB
          9.0kB
          19
          17

          HTTP Request

          GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

          HTTP Response

          204
        • 83.97.73.129:19068
          AppLaunch.exe
          260 B
          5
        • 23.62.61.155:443
          https://www.bing.com/aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182
          tls, http2
          1.4kB
          5.3kB
          16
          10

          HTTP Request

          GET https://www.bing.com/aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

          HTTP Response

          200
        • 83.97.73.129:19068
          c2700905.exe
          260 B
          5
        • 23.62.61.155:443
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          tls, http2
          1.6kB
          6.4kB
          17
          12

          HTTP Request

          GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

          HTTP Response

          200
        • 83.97.73.129:19068
          AppLaunch.exe
          260 B
          5
        • 83.97.73.129:19068
          c2700905.exe
          260 B
          5
        • 83.97.73.129:19068
          AppLaunch.exe
          260 B
          5
        • 83.97.73.129:19068
          c2700905.exe
          260 B
          5
        • 83.97.73.129:19068
          AppLaunch.exe
          260 B
          5
        • 83.97.73.129:19068
          c2700905.exe
          260 B
          5
        • 83.97.73.129:19068
          AppLaunch.exe
          260 B
          5
        • 83.97.73.129:19068
          c2700905.exe
          260 B
          5
        • 83.97.73.129:19068
          AppLaunch.exe
          260 B
          5
        • 83.97.73.129:19068
          c2700905.exe
          260 B
          5
        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
          151 B
          1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          64.159.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          64.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          26.35.223.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          26.35.223.20.in-addr.arpa

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
          143 B
          1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          155.61.62.23.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          155.61.62.23.in-addr.arpa

        • 8.8.8.8:53
          56.126.166.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          56.126.166.20.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
          156 B
          1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          139.53.16.96.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          139.53.16.96.in-addr.arpa

        • 8.8.8.8:53
          77.190.18.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          77.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          28.173.189.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          28.173.189.20.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe

          Filesize

          607KB

          MD5

          33ff5c1b7ad2169df36e814a2d691161

          SHA1

          e80f0be76be35b9997ecfa24a8efc30748552cbe

          SHA256

          000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88

          SHA512

          216ceb4f2a265aae0b413964c91da9f4f4f45baabe4ed952da89dc8089932472aeecb7ae2fb42408dfcfc8ae575d3d0b99cd89f55620946b155a41dee6019bd3

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe

          Filesize

          435KB

          MD5

          a76aada563b5fff5cf81824d40e87c25

          SHA1

          b6c50c7d69b765a396e3995642cd3c82ed9eb370

          SHA256

          f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956

          SHA512

          093e3da142ee67a4da1c8f352460e5d90e9565ec60855285a19eb6e2c2f85d8b8ec22e0b5f46194222954ffeb19e1a8451f9d364c8869f1ef8050decc7154a56

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe

          Filesize

          172KB

          MD5

          3722a3e958832f918370e3491d62d642

          SHA1

          86d28aa415f98a3ffa95279b4ac521e96ab8131a

          SHA256

          fc953ae5ccb8716ad6fa4b015596e010272dc5095fb5cf36fc1fe1ac7ca39db9

          SHA512

          510caffa854da75b5cef2b52ef61dee6670fc684c090911b9bf51678c68144e3f83a2ca2b43364abd0619c6742c03b9f68f29f91d6bb6259c49fc2b8bbaeb791

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe

          Filesize

          280KB

          MD5

          7df1e56d4c1a1612ee126463fcf8ceb4

          SHA1

          774ab26898cfa2ace41b0d5fa53538d318e0fa57

          SHA256

          a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0

          SHA512

          a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe

          Filesize

          302KB

          MD5

          c0e3f771bcbb789d734e7d3e1b1f4e65

          SHA1

          02e6e5e508188955181ac98bb1b9c414d2c1aa9e

          SHA256

          53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02

          SHA512

          c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe

          Filesize

          141KB

          MD5

          cd5a529d645436b72dc72ebc19950ef3

          SHA1

          5f571b5fce5b5e210e812e28dad02b80bb1f5d80

          SHA256

          887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3

          SHA512

          b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123

        • memory/2508-42-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/4396-28-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/4396-36-0x0000000009F30000-0x0000000009F42000-memory.dmp

          Filesize

          72KB

        • memory/4396-35-0x0000000009FF0000-0x000000000A0FA000-memory.dmp

          Filesize

          1.0MB

        • memory/4396-39-0x0000000009F90000-0x0000000009FCC000-memory.dmp

          Filesize

          240KB

        • memory/4396-41-0x0000000002420000-0x000000000246C000-memory.dmp

          Filesize

          304KB

        • memory/4396-34-0x000000000A4E0000-0x000000000AAF8000-memory.dmp

          Filesize

          6.1MB

        • memory/4396-33-0x0000000000A20000-0x0000000000A26000-memory.dmp

          Filesize

          24KB

        • memory/4836-50-0x0000000000CE0000-0x0000000000D10000-memory.dmp

          Filesize

          192KB

        • memory/4836-51-0x0000000001460000-0x0000000001466000-memory.dmp

          Filesize

          24KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.