Analysis

  • max time kernel
    138s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 05:30

General

  • Target

    2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244.exe

  • Size

    976KB

  • MD5

    be9ab75d36757186f2dd7ff0409992fc

  • SHA1

    aebd4f46a7c6c2c434799c24b53518a69c1e746a

  • SHA256

    2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244

  • SHA512

    55fd789402126f83046de4c0177e86c08cdd93f49e63d46c0bbf65d649f6e3ea76c25143823cfb527f81b531128ed3c8f30922d866f3ceef45db3e16acb414f3

  • SSDEEP

    24576:1vnuUYmYIXcWzGAcq/ztggbB1A+xI9rz:0mYIXcWzGAcq/zE+29X

Malware Config

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244.exe
    "C:\Users\Admin\AppData\Local\Temp\2b467ee19e1542f60392c1b29a264ffabce3e9a8da48a4707e8d8f1bea1d1244.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1196

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    pastebin.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    172.67.19.24
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    GET
    https://pastebin.com/raw/NgsUAPya
    RegAsm.exe
    Remote address:
    172.67.19.24:443
    Request
    GET /raw/NgsUAPya HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 15 May 2024 05:32:08 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 504
    Last-Modified: Wed, 15 May 2024 05:23:44 GMT
    Server: cloudflare
    CF-RAY: 8840bee8e89e23e3-LHR
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    DNS
    nontento.top
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    nontento.top
    IN A
    Response
    nontento.top
    IN A
    95.217.242.180
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82F3oUixXrKxYfN13XT9AZTVUCUzBLZqS91CD-bGUknt_bAqsJEXv9I8wvFk7MuS9xvnABsQVwra8bUYiAp9TnR2DGWe3DHkRb7-LKqh6vfThoNLrCPSJoQWhGI7BKVc7MK_7DNl8EZCMh6AsLsUt3PkhwGmNZRoEvehugrREQCIdsb1G%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1c4d6ce3a0fd10a994960ac8092cfcc1&TIME=20240426T131945Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82F3oUixXrKxYfN13XT9AZTVUCUzBLZqS91CD-bGUknt_bAqsJEXv9I8wvFk7MuS9xvnABsQVwra8bUYiAp9TnR2DGWe3DHkRb7-LKqh6vfThoNLrCPSJoQWhGI7BKVc7MK_7DNl8EZCMh6AsLsUt3PkhwGmNZRoEvehugrREQCIdsb1G%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1c4d6ce3a0fd10a994960ac8092cfcc1&TIME=20240426T131945Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=20437D9FBD75681E3E42691FBC52690D; domain=.bing.com; expires=Mon, 09-Jun-2025 05:32:09 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 56D0E67CC0A54A20B21C8F9586F943BB Ref B: LON04EDGE0614 Ref C: 2024-05-15T05:32:09Z
    date: Wed, 15 May 2024 05:32:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82F3oUixXrKxYfN13XT9AZTVUCUzBLZqS91CD-bGUknt_bAqsJEXv9I8wvFk7MuS9xvnABsQVwra8bUYiAp9TnR2DGWe3DHkRb7-LKqh6vfThoNLrCPSJoQWhGI7BKVc7MK_7DNl8EZCMh6AsLsUt3PkhwGmNZRoEvehugrREQCIdsb1G%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1c4d6ce3a0fd10a994960ac8092cfcc1&TIME=20240426T131945Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82F3oUixXrKxYfN13XT9AZTVUCUzBLZqS91CD-bGUknt_bAqsJEXv9I8wvFk7MuS9xvnABsQVwra8bUYiAp9TnR2DGWe3DHkRb7-LKqh6vfThoNLrCPSJoQWhGI7BKVc7MK_7DNl8EZCMh6AsLsUt3PkhwGmNZRoEvehugrREQCIdsb1G%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1c4d6ce3a0fd10a994960ac8092cfcc1&TIME=20240426T131945Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=20437D9FBD75681E3E42691FBC52690D; _EDGE_S=SID=2A9D8F2B7D60611526CB9BAB7C286001
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=8US3BuP2PB5CSCcoqx-5c8sgAGZcmuSvYifl7IuTPEo; domain=.bing.com; expires=Mon, 09-Jun-2025 05:32:09 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4ED5C6CDB23F44D3ACFDC1AEDDF9C547 Ref B: LON04EDGE0614 Ref C: 2024-05-15T05:32:09Z
    date: Wed, 15 May 2024 05:32:08 GMT
  • flag-be
    GET
    https://www.bing.com/aes/c.gif?RG=564729856b9148a29bf42606e3d7fe38&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131945Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893
    Remote address:
    88.221.83.208:443
    Request
    GET /aes/c.gif?RG=564729856b9148a29bf42606e3d7fe38&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131945Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=20437D9FBD75681E3E42691FBC52690D
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0C1CA2EC6E404A3CA4F196451B578B33 Ref B: BRU30EDGE0815 Ref C: 2024-05-15T05:32:09Z
    content-length: 0
    date: Wed, 15 May 2024 05:32:09 GMT
    set-cookie: _EDGE_S=SID=2A9D8F2B7D60611526CB9BAB7C286001; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=20437D9FBD75681E3E42691FBC52690D; path=/; httponly; expires=Mon, 09-Jun-2025 05:32:09 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.cc53dd58.1715751129.8d4d2
  • flag-us
    DNS
    24.19.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.19.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.242.217.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.242.217.95.in-addr.arpa
    IN PTR
    Response
    180.242.217.95.in-addr.arpa
    IN PTR
    static18024221795clients your-serverde
  • flag-us
    DNS
    208.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.83.221.88.in-addr.arpa
    IN PTR
    Response
    208.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-208deploystaticakamaitechnologiescom
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.83.208:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=20437D9FBD75681E3E42691FBC52690D; _EDGE_S=SID=2A9D8F2B7D60611526CB9BAB7C286001; MSPTC=8US3BuP2PB5CSCcoqx-5c8sgAGZcmuSvYifl7IuTPEo; MUIDB=20437D9FBD75681E3E42691FBC52690D
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Wed, 15 May 2024 05:32:10 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.cc53dd58.1715751130.8d861
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 430689
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F1CD72FD3E9C4BF584AB645286C79FBD Ref B: LON04EDGE0706 Ref C: 2024-05-15T05:33:51Z
    date: Wed, 15 May 2024 05:33:50 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 634564
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A51C61B5DDFE4C2E9DCD961CB7133689 Ref B: LON04EDGE0706 Ref C: 2024-05-15T05:33:51Z
    date: Wed, 15 May 2024 05:33:50 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 415458
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 101BF2A0281D4AC08506410CC71A3A79 Ref B: LON04EDGE0706 Ref C: 2024-05-15T05:33:51Z
    date: Wed, 15 May 2024 05:33:50 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 659775
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D352D5D8DCF149AFB58598089B14385A Ref B: LON04EDGE0706 Ref C: 2024-05-15T05:33:51Z
    date: Wed, 15 May 2024 05:33:50 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 621794
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4F9EB661888F441081FA51CA92966E08 Ref B: LON04EDGE0706 Ref C: 2024-05-15T05:33:51Z
    date: Wed, 15 May 2024 05:33:50 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 637660
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4A8C960D887C45348027C38FE2E4F930 Ref B: LON04EDGE0706 Ref C: 2024-05-15T05:33:52Z
    date: Wed, 15 May 2024 05:33:51 GMT
  • 172.67.19.24:443
    https://pastebin.com/raw/NgsUAPya
    tls, http
    RegAsm.exe
    772 B
    5.7kB
    9
    9

    HTTP Request

    GET https://pastebin.com/raw/NgsUAPya

    HTTP Response

    200
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82F3oUixXrKxYfN13XT9AZTVUCUzBLZqS91CD-bGUknt_bAqsJEXv9I8wvFk7MuS9xvnABsQVwra8bUYiAp9TnR2DGWe3DHkRb7-LKqh6vfThoNLrCPSJoQWhGI7BKVc7MK_7DNl8EZCMh6AsLsUt3PkhwGmNZRoEvehugrREQCIdsb1G%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1c4d6ce3a0fd10a994960ac8092cfcc1&TIME=20240426T131945Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E
    tls, http2
    2.5kB
    8.9kB
    19
    15

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82F3oUixXrKxYfN13XT9AZTVUCUzBLZqS91CD-bGUknt_bAqsJEXv9I8wvFk7MuS9xvnABsQVwra8bUYiAp9TnR2DGWe3DHkRb7-LKqh6vfThoNLrCPSJoQWhGI7BKVc7MK_7DNl8EZCMh6AsLsUt3PkhwGmNZRoEvehugrREQCIdsb1G%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1c4d6ce3a0fd10a994960ac8092cfcc1&TIME=20240426T131945Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82F3oUixXrKxYfN13XT9AZTVUCUzBLZqS91CD-bGUknt_bAqsJEXv9I8wvFk7MuS9xvnABsQVwra8bUYiAp9TnR2DGWe3DHkRb7-LKqh6vfThoNLrCPSJoQWhGI7BKVc7MK_7DNl8EZCMh6AsLsUt3PkhwGmNZRoEvehugrREQCIdsb1G%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1c4d6ce3a0fd10a994960ac8092cfcc1&TIME=20240426T131945Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

    HTTP Response

    204
  • 95.217.242.180:443
    nontento.top
    https
    RegAsm.exe
    515.0kB
    12.1kB
    381
    119
  • 88.221.83.208:443
    https://www.bing.com/aes/c.gif?RG=564729856b9148a29bf42606e3d7fe38&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131945Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893
    tls, http2
    1.4kB
    5.4kB
    15
    12

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=564729856b9148a29bf42606e3d7fe38&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131945Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893

    HTTP Response

    200
  • 88.221.83.208:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
    6.4kB
    17
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    120.8kB
    3.5MB
    2568
    2564

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    RegAsm.exe
    58 B
    106 B
    1
    1

    DNS Request

    pastebin.com

    DNS Response

    172.67.19.24
    104.20.3.235
    104.20.4.235

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    nontento.top
    dns
    RegAsm.exe
    58 B
    74 B
    1
    1

    DNS Request

    nontento.top

    DNS Response

    95.217.242.180

  • 8.8.8.8:53
    24.19.67.172.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    24.19.67.172.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    180.242.217.95.in-addr.arpa
    dns
    73 B
    131 B
    1
    1

    DNS Request

    180.242.217.95.in-addr.arpa

  • 8.8.8.8:53
    208.83.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    208.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.204.248.87.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1196-9-0x0000000074A20000-0x00000000751D0000-memory.dmp

    Filesize

    7.7MB

  • memory/1196-20-0x0000000074A20000-0x00000000751D0000-memory.dmp

    Filesize

    7.7MB

  • memory/1196-10-0x0000000006530000-0x000000000656C000-memory.dmp

    Filesize

    240KB

  • memory/1196-4-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

    Filesize

    4KB

  • memory/1196-5-0x0000000005190000-0x00000000051F6000-memory.dmp

    Filesize

    408KB

  • memory/1196-6-0x0000000005CD0000-0x00000000062E8000-memory.dmp

    Filesize

    6.1MB

  • memory/1196-7-0x0000000005740000-0x0000000005752000-memory.dmp

    Filesize

    72KB

  • memory/1196-8-0x0000000005870000-0x000000000597A000-memory.dmp

    Filesize

    1.0MB

  • memory/1196-18-0x0000000006BC0000-0x0000000006BDE000-memory.dmp

    Filesize

    120KB

  • memory/1196-1-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1196-12-0x00000000068B0000-0x0000000006A72000-memory.dmp

    Filesize

    1.8MB

  • memory/1196-11-0x0000000006570000-0x00000000065BC000-memory.dmp

    Filesize

    304KB

  • memory/1196-13-0x0000000006FB0000-0x00000000074DC000-memory.dmp

    Filesize

    5.2MB

  • memory/1196-15-0x0000000006A80000-0x0000000006B12000-memory.dmp

    Filesize

    584KB

  • memory/1196-14-0x0000000007A90000-0x0000000008034000-memory.dmp

    Filesize

    5.6MB

  • memory/1196-17-0x0000000006BF0000-0x0000000006C66000-memory.dmp

    Filesize

    472KB

  • memory/1196-16-0x0000000006B20000-0x0000000006B70000-memory.dmp

    Filesize

    320KB

  • memory/1548-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

  • memory/1548-0-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.