healer | e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed | Triage

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 13:14 UTC

Sharing

Report Analysis Logs

General

Target

2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe
Size

479KB
MD5

31617cece5388ac8787754c9406975d7
SHA1

b3315488d6a9295329123bbbce1fd14ae7ed91a6
SHA256

2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731
SHA512

d3c6bcab9038bcd8de94f30909c7eb12abe56d9a6b04cd46440118f5eb1243499cf87839401a9915ab24c6091d4ce23ddea26ea0cc25fe13ae920d894414f6a7
SSDEEP

12288:EMrSy90QA01k9EdiY5c1u31vTEmyrZpYgGT7j+h5Va6e:+yoY9X9TwFpY57atTe

Score

10^/10

healer redline dumud dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral3/memory/1292-15-0x0000000002170000-0x000000000218A000-memory.dmp	healer
behavioral3/memory/1292-18-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral3/memory/1292-30-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-46-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-44-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-40-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-38-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-34-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-32-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-28-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-26-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-24-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-22-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-19-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-42-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-36-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral3/memory/1292-20-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5841347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5841347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5841347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5841347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5841347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5841347.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000700000002341f-51.dat	family_redline
behavioral3/memory/4776-53-0x00000000006D0000-0x0000000000700000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1624	y9740927.exe
1292	k5841347.exe
4776	l8089495.exe

Windows security modification 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5841347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5841347.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9740927.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1292	k5841347.exe
1292	k5841347.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	k5841347.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1624	1092	2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe	82
PID 1092 wrote to memory of 1624	1092	2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe	82
PID 1092 wrote to memory of 1624	1092	2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe	82
PID 1624 wrote to memory of 1292	1624	y9740927.exe	83
PID 1624 wrote to memory of 1292	1624	y9740927.exe	83
PID 1624 wrote to memory of 1292	1624	y9740927.exe	83
PID 1624 wrote to memory of 4776	1624	y9740927.exe	95
PID 1624 wrote to memory of 4776	1624	y9740927.exe	95
PID 1624 wrote to memory of 4776	1624	y9740927.exe	95

C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe
"C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe
    3⤵
    - Executes dropped EXE
    PID:4776

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8lfVJG5vTZEbHrw3P1wSYvDVUCUx5UmvtAoSwCAhJNPPWQ6zwYKKOJ_yqbbcEkxrgM_ubsupTe44QnXmFewHDIHN9aTXBsYxHo4i7BMONxo-0u5e7hJXINcXzN0MG8DSm5Znh7LReKshh3IpPwfrGwehVzOiqhpEL5OqOg1kU_HbIKYmQ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D098750c7deb813359e4736ec71f73dac&TIME=20240426T134308Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8lfVJG5vTZEbHrw3P1wSYvDVUCUx5UmvtAoSwCAhJNPPWQ6zwYKKOJ_yqbbcEkxrgM_ubsupTe44QnXmFewHDIHN9aTXBsYxHo4i7BMONxo-0u5e7hJXINcXzN0MG8DSm5Znh7LReKshh3IpPwfrGwehVzOiqhpEL5OqOg1kU_HbIKYmQ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D098750c7deb813359e4736ec71f73dac&TIME=20240426T134308Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=317A79D9877E6577273B6DA2869E64D1; domain=.bing.com; expires=Wed, 04-Jun-2025 13:15:22 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BF2434473F064859BFF9D1BD5AF6FF78 Ref B: LON04EDGE1208 Ref C: 2024-05-10T13:15:22Z
date: Fri, 10 May 2024 13:15:22 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8lfVJG5vTZEbHrw3P1wSYvDVUCUx5UmvtAoSwCAhJNPPWQ6zwYKKOJ_yqbbcEkxrgM_ubsupTe44QnXmFewHDIHN9aTXBsYxHo4i7BMONxo-0u5e7hJXINcXzN0MG8DSm5Znh7LReKshh3IpPwfrGwehVzOiqhpEL5OqOg1kU_HbIKYmQ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D098750c7deb813359e4736ec71f73dac&TIME=20240426T134308Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8lfVJG5vTZEbHrw3P1wSYvDVUCUx5UmvtAoSwCAhJNPPWQ6zwYKKOJ_yqbbcEkxrgM_ubsupTe44QnXmFewHDIHN9aTXBsYxHo4i7BMONxo-0u5e7hJXINcXzN0MG8DSm5Znh7LReKshh3IpPwfrGwehVzOiqhpEL5OqOg1kU_HbIKYmQ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D098750c7deb813359e4736ec71f73dac&TIME=20240426T134308Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=317A79D9877E6577273B6DA2869E64D1; _EDGE_S=SID=16CD998D75C163352ACA8DF674AD6222

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Uhf8K-L45kDTsyVDFK4Gbtpyc2nP3Tckf4J3MZewktU; domain=.bing.com; expires=Wed, 04-Jun-2025 13:15:23 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C353C883FD6E4697912F377A7D852A92 Ref B: LON04EDGE1208 Ref C: 2024-05-10T13:15:23Z
date: Fri, 10 May 2024 13:15:22 GMT
GET

https://www.bing.com/aes/c.gif?RG=ef24e622a6eb466f82c05c66dd93b049&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134308Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

Remote address:

88.221.83.202:443

Request

GET /aes/c.gif?RG=ef24e622a6eb466f82c05c66dd93b049&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134308Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=317A79D9877E6577273B6DA2869E64D1

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FF8906EBED094EAA9217F5EE3EC10A24 Ref B: BRU30EDGE0614 Ref C: 2024-05-10T13:15:22Z
content-length: 0
date: Fri, 10 May 2024 13:15:22 GMT
set-cookie: _EDGE_S=SID=16CD998D75C163352ACA8DF674AD6222; path=/; httponly; domain=bing.com
set-cookie: MUIDB=317A79D9877E6577273B6DA2869E64D1; path=/; httponly; expires=Wed, 04-Jun-2025 13:15:22 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.c653dd58.1715346922.19b564e2
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

202.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.83.221.88.in-addr.arpa

IN PTR

Response

202.83.221.88.in-addr.arpa

IN PTR

a88-221-83-202deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.202:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=317A79D9877E6577273B6DA2869E64D1; _EDGE_S=SID=16CD998D75C163352ACA8DF674AD6222; MSPTC=Uhf8K-L45kDTsyVDFK4Gbtpyc2nP3Tckf4J3MZewktU; MUIDB=317A79D9877E6577273B6DA2869E64D1
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 10 May 2024 13:15:24 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.c653dd58.1715346924.19b56997
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

139.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.53.16.96.in-addr.arpa

IN PTR

Response

139.53.16.96.in-addr.arpa

IN PTR

a96-16-53-139deploystaticakamaitechnologiescom
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 382817
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 643B3F08D5024356978CD848F385651D Ref B: LON04EDGE1012 Ref C: 2024-05-10T13:16:56Z
date: Fri, 10 May 2024 13:16:56 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 499516
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 231A555F03B841BB87EF5C25B5F6C317 Ref B: LON04EDGE1012 Ref C: 2024-05-10T13:16:56Z
date: Fri, 10 May 2024 13:16:56 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 464243
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E17AF6939CAA49D5B0FA89CA4B7E2C5B Ref B: LON04EDGE1012 Ref C: 2024-05-10T13:16:56Z
date: Fri, 10 May 2024 13:16:56 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 476246
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7CA323D2AC2E4A2EB816C67EDF21BCC8 Ref B: LON04EDGE1012 Ref C: 2024-05-10T13:16:56Z
date: Fri, 10 May 2024 13:16:56 GMT
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

213.80.50.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.80.50.20.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8lfVJG5vTZEbHrw3P1wSYvDVUCUx5UmvtAoSwCAhJNPPWQ6zwYKKOJ_yqbbcEkxrgM_ubsupTe44QnXmFewHDIHN9aTXBsYxHo4i7BMONxo-0u5e7hJXINcXzN0MG8DSm5Znh7LReKshh3IpPwfrGwehVzOiqhpEL5OqOg1kU_HbIKYmQ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D098750c7deb813359e4736ec71f73dac&TIME=20240426T134308Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8lfVJG5vTZEbHrw3P1wSYvDVUCUx5UmvtAoSwCAhJNPPWQ6zwYKKOJ_yqbbcEkxrgM_ubsupTe44QnXmFewHDIHN9aTXBsYxHo4i7BMONxo-0u5e7hJXINcXzN0MG8DSm5Znh7LReKshh3IpPwfrGwehVzOiqhpEL5OqOg1kU_HbIKYmQ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D098750c7deb813359e4736ec71f73dac&TIME=20240426T134308Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8lfVJG5vTZEbHrw3P1wSYvDVUCUx5UmvtAoSwCAhJNPPWQ6zwYKKOJ_yqbbcEkxrgM_ubsupTe44QnXmFewHDIHN9aTXBsYxHo4i7BMONxo-0u5e7hJXINcXzN0MG8DSm5Znh7LReKshh3IpPwfrGwehVzOiqhpEL5OqOg1kU_HbIKYmQ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D098750c7deb813359e4736ec71f73dac&TIME=20240426T134308Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

HTTP Response

204
88.221.83.202:443

https://www.bing.com/aes/c.gif?RG=ef24e622a6eb466f82c05c66dd93b049&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134308Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

tls, http2

1.4kB
5.3kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=ef24e622a6eb466f82c05c66dd93b049&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134308Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

HTTP Response

200
88.221.83.202:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.3kB
15
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
217.196.96.101:4132

l8089495.exe

260 B
5
217.196.96.101:4132

l8089495.exe

260 B
5
217.196.96.101:4132

l8089495.exe

260 B
5
217.196.96.101:4132

l8089495.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

64.4kB
1.9MB
1375
1370

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
217.196.96.101:4132

l8089495.exe

260 B
5
217.196.96.101:4132

l8089495.exe

208 B
4

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

202.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

202.83.221.88.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

139.53.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

139.53.16.96.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

213.80.50.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

213.80.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe

Filesize
307KB

MD5
9bdf388e7097e941c78a00799f4f4782

SHA1
b7c8e585a79710202c51201e0a064a924a4960dc

SHA256
70a63809823a29da0e2c059f044c0eebb88b69b423048530558c4d81695821cc

SHA512
45a0b0cae69e4950f4b5e9f11ee97f5cd958f0d87c78a78f4f0c3cbf13457f1f7be99c0e6d78a0dbfab736d707fa16f1a846586a985d582644f09ee5585fa0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe

Filesize
180KB

MD5
2abc60bf01928f91b0fd732fc843bded

SHA1
7c3fa32805ff83b21b9791085c19d91929d9da98

SHA256
be2409ec07808dd991d967c3a801f6bfc0849d8ac62fa13e6b6368277a9e2cff

SHA512
faa77cb7adc0772a07e6822a73d8831bd892a18d44bdc880c48daa5ebcd7888fef918252b1170c03bfe43ec76d5de3ec04d1763cf21abe2095adc95869140748

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe

Filesize
168KB

MD5
0bc5f2797494eb6b5f6e022d890f153f

SHA1
9fbecbe0e9f8f2f3c9f343a75e9086476c153cf6

SHA256
f5aaa70292c55d01baabc02cfa987a86ebee42f448d2e1ec1909c8ce72670901

SHA512
96d04febe6df69fa587c746330adefbe76a2cc8e2ac7aa34db80e13dbde5fa8a7544b91902d5bea73681fbd1910153653de26a2d756287269607340917a216fc

Download Submit
memory/1292-46-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-20-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-17-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/1292-18-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/1292-30-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-15-0x0000000002170000-0x000000000218A000-memory.dmp

Filesize
104KB

Download
memory/1292-44-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-40-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-38-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-34-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-32-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-28-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-26-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-24-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-16-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1292-19-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-22-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-42-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-36-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1292-47-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1292-49-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/1292-14-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4776-53-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/4776-54-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/4776-57-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4776-56-0x0000000005120000-0x000000000522A000-memory.dmp

Filesize
1.0MB

Download
memory/4776-58-0x00000000050B0000-0x00000000050EC000-memory.dmp

Filesize
240KB

Download
memory/4776-59-0x0000000005230000-0x000000000527C000-memory.dmp

Filesize
304KB

Download
memory/4776-55-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download