Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

082abd50bc...72.exe

windows10-2004-x64

10

0a70b4612b...f6.exe

windows10-2004-x64

10

136b546d35...01.exe

windows10-2004-x64

10

1ec8ce9ace...96.exe

windows10-2004-x64

10

28e73a1086...9a.exe

windows7-x64

7

28e73a1086...9a.exe

windows10-2004-x64

7

3a5fd7dfde...92.exe

windows10-2004-x64

10

56dbfb10e0...5d.exe

windows10-2004-x64

10

5f7c9e83d8...c5.exe

windows7-x64

3

5f7c9e83d8...c5.exe

windows10-2004-x64

10

660944c2e2...12.exe

windows10-2004-x64

10

6b061fa476...e8.exe

windows10-2004-x64

10

795a49ee81...4a.exe

windows10-2004-x64

10

7d1f6eeb31...ef.exe

windows10-2004-x64

10

80f298c436...94.exe

windows10-2004-x64

10

85555569bb...4d.exe

windows10-2004-x64

10

bd2cad4003...26.exe

windows10-2004-x64

10

c429566ed4...39.exe

windows10-2004-x64

10

c47b15f967...7d.exe

windows10-2004-x64

10

ce9f75c073...16.exe

windows10-2004-x64

10

cfdc6cd562...d3.exe

windows10-2004-x64

10

eb81f341bc...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 13:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe

  • Size

    390KB

  • MD5

    2bc8e8cd130285a0cbea66c6ae7859e9

  • SHA1

    bb229611ae9e5c6a807ceb371b3a282f631324ad

  • SHA256

    56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d

  • SHA512

    6b79aa03ecc4989a5f51f7b9776add2110146890a355a712569d0ad8b0e2399e744ffee8c51888b8f1bcb9d8ede9ee927d9fd35b4c228e2b521f91e0534dd933

  • SSDEEP

    6144:K3y+bnr+8p0yN90QETG840XYwvb4mF4xCVPLXsX2NmV5BCcHnlRHuzoiFqv7m:hMrMy90dhI05uCVPZoUcHnl9Woi8vq

Score
10/10
amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe
    "C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:8
        • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
          "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:4020
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:736
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:1988
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "danke.exe" /P "Admin:N"
                6⤵
                  PID:2436
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:R" /E
                  6⤵
                    PID:4852
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:4564
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\3ec1f323b5" /P "Admin:N"
                      6⤵
                        PID:3028
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:R" /E
                        6⤵
                          PID:4156
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
                  2⤵
                  • Executes dropped EXE
                  PID:324
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:3652
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4500
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4600

              Network

              • flag-us
                DNS
                13.86.106.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                13.86.106.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                172.210.232.199.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                172.210.232.199.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                172.210.232.199.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                172.210.232.199.in-addr.arpa
                IN PTR
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                43.58.199.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                43.58.199.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                79.190.18.2.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                79.190.18.2.in-addr.arpa
                IN PTR
                Response
                79.190.18.2.in-addr.arpa
                IN PTR
                a2-18-190-79deploystaticakamaitechnologiescom
              • flag-us
                DNS
                g.bing.com
                Remote address:
                8.8.8.8:53
                Request
                g.bing.com
                IN A
                Response
                g.bing.com
                IN CNAME
                g-bing-com.dual-a-0034.a-msedge.net
                g-bing-com.dual-a-0034.a-msedge.net
                IN CNAME
                dual-a-0034.a-msedge.net
                dual-a-0034.a-msedge.net
                IN A
                204.79.197.237
                dual-a-0034.a-msedge.net
                IN A
                13.107.21.237
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8SsuHTvx8q__MLLpR2bAPDDVUCUyNhKoXHt0pUm8SzIbduuewIHDn9Dvq-AKhMUtublUBtSALP_aoDUJsXgKbsx5L0FxrVbax29_kp4z6ehtyJGZbXyzTB-DUj7QmFDb0ix0Y1fLymBVPOnKu1f_UuICbwOGrJ7R2PXcoQGS9hOx7p6yS%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2f19329a7a5c1143aba754b1cbacba1e&TIME=20240510T130939Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8SsuHTvx8q__MLLpR2bAPDDVUCUyNhKoXHt0pUm8SzIbduuewIHDn9Dvq-AKhMUtublUBtSALP_aoDUJsXgKbsx5L0FxrVbax29_kp4z6ehtyJGZbXyzTB-DUj7QmFDb0ix0Y1fLymBVPOnKu1f_UuICbwOGrJ7R2PXcoQGS9hOx7p6yS%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2f19329a7a5c1143aba754b1cbacba1e&TIME=20240510T130939Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MUID=1B742AA3BA1464F001373ED8BBAF65D7; domain=.bing.com; expires=Wed, 04-Jun-2025 13:10:14 GMT; path=/; SameSite=None; Secure; Priority=High;
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: C8E25420DF324327A8B57F8AE3AF0DF5 Ref B: LON04EDGE0816 Ref C: 2024-05-10T13:10:14Z
                date: Fri, 10 May 2024 13:10:14 GMT
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8SsuHTvx8q__MLLpR2bAPDDVUCUyNhKoXHt0pUm8SzIbduuewIHDn9Dvq-AKhMUtublUBtSALP_aoDUJsXgKbsx5L0FxrVbax29_kp4z6ehtyJGZbXyzTB-DUj7QmFDb0ix0Y1fLymBVPOnKu1f_UuICbwOGrJ7R2PXcoQGS9hOx7p6yS%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2f19329a7a5c1143aba754b1cbacba1e&TIME=20240510T130939Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
                Remote address:
                204.79.197.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8SsuHTvx8q__MLLpR2bAPDDVUCUyNhKoXHt0pUm8SzIbduuewIHDn9Dvq-AKhMUtublUBtSALP_aoDUJsXgKbsx5L0FxrVbax29_kp4z6ehtyJGZbXyzTB-DUj7QmFDb0ix0Y1fLymBVPOnKu1f_UuICbwOGrJ7R2PXcoQGS9hOx7p6yS%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2f19329a7a5c1143aba754b1cbacba1e&TIME=20240510T130939Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=1B742AA3BA1464F001373ED8BBAF65D7; _EDGE_S=SID=1639B9D5BF406E890BACADAEBE396F06
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MSPTC=M9cImlfYRB0gMWsgt3HFCycaZo0ZouAvKAWEpAl9b2k; domain=.bing.com; expires=Wed, 04-Jun-2025 13:10:15 GMT; path=/; Partitioned; secure; SameSite=None
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 3C042B93A747406FA36FE1162C95C063 Ref B: LON04EDGE0816 Ref C: 2024-05-10T13:10:15Z
                date: Fri, 10 May 2024 13:10:15 GMT
              • flag-be
                GET
                https://www.bing.com/aes/c.gif?RG=679a73d59cf24095a6a1e172a76932fc&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240510T130939Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
                Remote address:
                88.221.83.226:443
                Request
                GET /aes/c.gif?RG=679a73d59cf24095a6a1e172a76932fc&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240510T130939Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
                host: www.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=1B742AA3BA1464F001373ED8BBAF65D7
                Response
                HTTP/2.0 200
                cache-control: private,no-store
                pragma: no-cache
                vary: Origin
                p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 2AE1BD698ECC4DCEB3AF3238FD743262 Ref B: LON212050705029 Ref C: 2024-05-10T13:10:15Z
                content-length: 0
                date: Fri, 10 May 2024 13:10:15 GMT
                set-cookie: _EDGE_S=SID=1639B9D5BF406E890BACADAEBE396F06; path=/; httponly; domain=bing.com
                set-cookie: MUIDB=1B742AA3BA1464F001373ED8BBAF65D7; path=/; httponly; expires=Wed, 04-Jun-2025 13:10:15 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.de53dd58.1715346615.27dd617c
              • flag-us
                DNS
                237.197.79.204.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                237.197.79.204.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 476246
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 09500ECA9B894859AF0CB2596F986C5F Ref B: LON04EDGE0915 Ref C: 2024-05-10T13:10:15Z
                date: Fri, 10 May 2024 13:10:15 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 382817
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 39C1595FE9AD4924BAD606A423498275 Ref B: LON04EDGE0915 Ref C: 2024-05-10T13:10:15Z
                date: Fri, 10 May 2024 13:10:15 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 499516
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 1D190A1A9755426D811E087FA59DAD90 Ref B: LON04EDGE0915 Ref C: 2024-05-10T13:10:15Z
                date: Fri, 10 May 2024 13:10:15 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 464243
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: FC0113CF93F84B8AA3D1F2874B64F192 Ref B: LON04EDGE0915 Ref C: 2024-05-10T13:10:15Z
                date: Fri, 10 May 2024 13:10:15 GMT
              • flag-be
                GET
                https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                Remote address:
                88.221.83.226:443
                Request
                GET /th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                host: www.bing.com
                accept: */*
                cookie: MUID=1B742AA3BA1464F001373ED8BBAF65D7; _EDGE_S=SID=1639B9D5BF406E890BACADAEBE396F06; MSPTC=M9cImlfYRB0gMWsgt3HFCycaZo0ZouAvKAWEpAl9b2k; MUIDB=1B742AA3BA1464F001373ED8BBAF65D7
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-type: image/png
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                content-length: 999
                date: Fri, 10 May 2024 13:10:16 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.de53dd58.1715346616.27dd64a2
              • flag-us
                DNS
                226.83.221.88.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                226.83.221.88.in-addr.arpa
                IN PTR
                Response
                226.83.221.88.in-addr.arpa
                IN PTR
                a88-221-83-226deploystaticakamaitechnologiescom
              • 77.91.68.68:19071
                n4445439.exe
                260 B
                 5
              • 77.91.68.3:80
                danke.exe
                260 B
                 5
              • 77.91.68.68:19071
                n4445439.exe
                260 B
                 5
              • 77.91.68.3:80
                danke.exe
                260 B
                 5
              • 77.91.68.68:19071
                n4445439.exe
                260 B
                 5
              • 77.91.68.3:80
                danke.exe
                260 B
                 5
              • 77.91.68.68:19071
                n4445439.exe
                260 B
                 5
              • 204.79.197.237:443
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8SsuHTvx8q__MLLpR2bAPDDVUCUyNhKoXHt0pUm8SzIbduuewIHDn9Dvq-AKhMUtublUBtSALP_aoDUJsXgKbsx5L0FxrVbax29_kp4z6ehtyJGZbXyzTB-DUj7QmFDb0ix0Y1fLymBVPOnKu1f_UuICbwOGrJ7R2PXcoQGS9hOx7p6yS%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2f19329a7a5c1143aba754b1cbacba1e&TIME=20240510T130939Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
                tls, http2
                2.5kB
                 9.0kB
                 19
                17

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8SsuHTvx8q__MLLpR2bAPDDVUCUyNhKoXHt0pUm8SzIbduuewIHDn9Dvq-AKhMUtublUBtSALP_aoDUJsXgKbsx5L0FxrVbax29_kp4z6ehtyJGZbXyzTB-DUj7QmFDb0ix0Y1fLymBVPOnKu1f_UuICbwOGrJ7R2PXcoQGS9hOx7p6yS%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2f19329a7a5c1143aba754b1cbacba1e&TIME=20240510T130939Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

                HTTP Response

                204

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8SsuHTvx8q__MLLpR2bAPDDVUCUyNhKoXHt0pUm8SzIbduuewIHDn9Dvq-AKhMUtublUBtSALP_aoDUJsXgKbsx5L0FxrVbax29_kp4z6ehtyJGZbXyzTB-DUj7QmFDb0ix0Y1fLymBVPOnKu1f_UuICbwOGrJ7R2PXcoQGS9hOx7p6yS%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D2f19329a7a5c1143aba754b1cbacba1e&TIME=20240510T130939Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

                HTTP Response

                204
              • 88.221.83.226:443
                https://www.bing.com/aes/c.gif?RG=679a73d59cf24095a6a1e172a76932fc&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240510T130939Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
                tls, http2
                1.4kB
                 5.4kB
                 16
                12

                HTTP Request

                GET https://www.bing.com/aes/c.gif?RG=679a73d59cf24095a6a1e172a76932fc&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240510T130939Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

                HTTP Response

                200
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                tls, http2
                67.9kB
                 1.9MB
                 1385
                1381

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                 8.1kB
                 16
                13
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                 8.1kB
                 16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                 8.1kB
                 16
                14
              • 88.221.83.226:443
                https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                tls, http2
                1.5kB
                 6.2kB
                 15
                12

                HTTP Request

                GET https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                HTTP Response

                200
              • 77.91.68.3:80
                danke.exe
                260 B
                 5
              • 77.91.68.68:19071
                n4445439.exe
                260 B
                 5
              • 77.91.68.3:80
                danke.exe
                208 B
                 4
              • 77.91.68.68:19071
                n4445439.exe
                208 B
                 4
              • 8.8.8.8:53
                13.86.106.20.in-addr.arpa
                dns
                71 B
                 157 B
                 1
                1

                DNS Request

                13.86.106.20.in-addr.arpa

              • 8.8.8.8:53
                172.210.232.199.in-addr.arpa
                dns
                148 B
                 128 B
                 2
                1

                DNS Request

                172.210.232.199.in-addr.arpa

                DNS Request

                172.210.232.199.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                 144 B
                 1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                43.58.199.20.in-addr.arpa
                dns
                71 B
                 157 B
                 1
                1

                DNS Request

                43.58.199.20.in-addr.arpa

              • 8.8.8.8:53
                79.190.18.2.in-addr.arpa
                dns
                70 B
                 133 B
                 1
                1

                DNS Request

                79.190.18.2.in-addr.arpa

              • 8.8.8.8:53
                g.bing.com
                dns
                56 B
                 151 B
                 1
                1

                DNS Request

                g.bing.com

                DNS Response

                204.79.197.237
                13.107.21.237

              • 8.8.8.8:53
                237.197.79.204.in-addr.arpa
                dns
                73 B
                 143 B
                 1
                1

                DNS Request

                237.197.79.204.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                 173 B
                 1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              • 8.8.8.8:53
                226.83.221.88.in-addr.arpa
                dns
                72 B
                 137 B
                 1
                1

                DNS Request

                226.83.221.88.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
                Filesize

                173KB

                MD5

                ec5686f2f6eef77856a46505325aea33

                SHA1

                a58594f313adbd048b0ff2ac4e42603db57313ef

                SHA256

                f3cea04ccce7d837e9a850e3c82c83465828d18f1ddceb862a2cc411927a8874

                SHA512

                033857263c6ba7a1a5df2b441cb43c8e1d516eb5f298c76c00fdce7b7735e76921b5249d820f676355a7a0237f40af35497367d1319732b6629ab609ff154e08

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
                Filesize

                235KB

                MD5

                b435d6b953887f7a798aa82a97d2735e

                SHA1

                040f703a0203cf23702c6ff96b85a39654006505

                SHA256

                39b691839692b9cef4a116a81e30b4bee8cbc04bc169366c90a6338d14af3389

                SHA512

                a36150b1c22144d4e38d58c3574e45c59a6126185ec847b6c2282d4930b8a097e8e162e5af01c5f761e5510dafb855d7d6bcabe2801ec0852a75fb88c0a66379

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
                Filesize

                224KB

                MD5

                8c6b79ec436d7cf6950a804c1ec7d3e9

                SHA1

                4a589d5605d8ef785fdc78b0bf64e769e3a21ad6

                SHA256

                4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d

                SHA512

                06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

                Download Submit

              • memory/324-36-0x0000000005900000-0x0000000005A0A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/324-33-0x0000000000C70000-0x0000000000CA0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/324-34-0x00000000015A0000-0x00000000015A6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/324-35-0x0000000005E10000-0x0000000006428000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/324-37-0x0000000005630000-0x0000000005642000-memory.dmp

                Filesize

                72KB

                Download

              • memory/324-38-0x0000000005690000-0x00000000056CC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/324-39-0x00000000057F0000-0x000000000583C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2440-15-0x00007FF8FF6F3000-0x00007FF8FF6F5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2440-14-0x0000000000830000-0x000000000083A000-memory.dmp

                Filesize

                40KB

                Download

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.