Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 18:38 UTC

General

  • Target

    32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe

  • Size

    1.2MB

  • MD5

    3cd4c28fa62c0cf93bf3eca5ef90e439

  • SHA1

    c6e956a087f43a24e4d6cf421a78b5671e9213b7

  • SHA256

    32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e

  • SHA512

    46a98da1e17c64052fa36ea544a8e8cfdd9b67735d441fc00c3b4917299393fceee61f61a1e024a0d0d375800d929e837c47099a8425d010b07d1353a4b7fec6

  • SSDEEP

    24576:PyeumwYs4AEjgXoSz+CGOOFmYWmZetNk84ps1Yu812Y:agZJaSCGOO1J3

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe
    "C:\Users\Admin\AppData\Local\Temp\32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rl1kg6QI.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rl1kg6QI.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm1Vv3hD.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm1Vv3hD.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VP36lc6.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VP36lc6.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4120
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:2276
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 584
              5⤵
              • Program crash
              PID:5056
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2fO859kL.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2fO859kL.exe
            4⤵
            • Executes dropped EXE
            PID:2968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
      1⤵
        PID:4716

      Network

      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Mr7vzgEaCfzFfD4QeuqcKjVUCUzxhlAbHp151X0tRY1PskbkHk6ZU4ud3iqz8IKLnOLW254SuJnLo1nWRgcd71gkihX2butqogdwCkLY3hB-XgayiUrTJKWmjNW9cnuZunaBCPdID9mqR2yNZ--kUBQcQMGoZkzGmVeWt-1MyqxMmgTJ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D216ca2d2461810a89517c4e92290ce19&TIME=20240508T114022Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Mr7vzgEaCfzFfD4QeuqcKjVUCUzxhlAbHp151X0tRY1PskbkHk6ZU4ud3iqz8IKLnOLW254SuJnLo1nWRgcd71gkihX2butqogdwCkLY3hB-XgayiUrTJKWmjNW9cnuZunaBCPdID9mqR2yNZ--kUBQcQMGoZkzGmVeWt-1MyqxMmgTJ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D216ca2d2461810a89517c4e92290ce19&TIME=20240508T114022Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=0EA4B1DC3AD462B408BFA55B3BF363FC; domain=.bing.com; expires=Mon, 16-Jun-2025 18:38:55 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: A1589593171C44BBA7F18B2B4B088789 Ref B: LON04EDGE0611 Ref C: 2024-05-22T18:38:55Z
        date: Wed, 22 May 2024 18:38:54 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Mr7vzgEaCfzFfD4QeuqcKjVUCUzxhlAbHp151X0tRY1PskbkHk6ZU4ud3iqz8IKLnOLW254SuJnLo1nWRgcd71gkihX2butqogdwCkLY3hB-XgayiUrTJKWmjNW9cnuZunaBCPdID9mqR2yNZ--kUBQcQMGoZkzGmVeWt-1MyqxMmgTJ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D216ca2d2461810a89517c4e92290ce19&TIME=20240508T114022Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Mr7vzgEaCfzFfD4QeuqcKjVUCUzxhlAbHp151X0tRY1PskbkHk6ZU4ud3iqz8IKLnOLW254SuJnLo1nWRgcd71gkihX2butqogdwCkLY3hB-XgayiUrTJKWmjNW9cnuZunaBCPdID9mqR2yNZ--kUBQcQMGoZkzGmVeWt-1MyqxMmgTJ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D216ca2d2461810a89517c4e92290ce19&TIME=20240508T114022Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=0EA4B1DC3AD462B408BFA55B3BF363FC; _EDGE_S=SID=0CBDFF3709F8684525A6EBB008B06993
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=jwknCXoddPCHCbY61G8K6yHQqjFPa0X0-ux_pOE5EMg; domain=.bing.com; expires=Mon, 16-Jun-2025 18:38:56 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 6216688739FC48A89B2E34EE2BA4DFEF Ref B: LON04EDGE0611 Ref C: 2024-05-22T18:38:56Z
        date: Wed, 22 May 2024 18:38:55 GMT
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-nl
        GET
        https://www.bing.com/aes/c.gif?RG=ede3a7c4848444cd9459f91fae07336c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114022Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182
        Remote address:
        23.62.61.129:443
        Request
        GET /aes/c.gif?RG=ede3a7c4848444cd9459f91fae07336c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114022Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
        host: www.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=0EA4B1DC3AD462B408BFA55B3BF363FC
        Response
        HTTP/2.0 200
        cache-control: private,no-store
        pragma: no-cache
        vary: Origin
        p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: D75EE6E3CC664A619885118716B01B73 Ref B: BRU30EDGE0911 Ref C: 2024-05-22T18:38:55Z
        content-length: 0
        date: Wed, 22 May 2024 18:38:56 GMT
        set-cookie: _EDGE_S=SID=0CBDFF3709F8684525A6EBB008B06993; path=/; httponly; domain=bing.com
        set-cookie: MUIDB=0EA4B1DC3AD462B408BFA55B3BF363FC; path=/; httponly; expires=Mon, 16-Jun-2025 18:38:56 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.7d3d3e17.1716403135.1a30228a
      • flag-us
        DNS
        129.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        129.61.62.23.in-addr.arpa
        IN PTR
        Response
        129.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-129deploystaticakamaitechnologiescom
      • flag-nl
        GET
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        Remote address:
        23.62.61.97:443
        Request
        GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        cookie: MUID=0EA4B1DC3AD462B408BFA55B3BF363FC; _EDGE_S=SID=0CBDFF3709F8684525A6EBB008B06993; MSPTC=jwknCXoddPCHCbY61G8K6yHQqjFPa0X0-ux_pOE5EMg; MUIDB=0EA4B1DC3AD462B408BFA55B3BF363FC
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 1107
        date: Wed, 22 May 2024 18:39:00 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.5d3d3e17.1716403140.8a91973
      • flag-us
        DNS
        97.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.61.62.23.in-addr.arpa
        IN PTR
        Response
        97.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-97deploystaticakamaitechnologiescom
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        56.126.166.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.126.166.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        157.123.68.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.123.68.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.197.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.197.17.2.in-addr.arpa
        IN PTR
        Response
        241.197.17.2.in-addr.arpa
        IN PTR
        a2-17-197-241deploystaticakamaitechnologiescom
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        249.197.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        249.197.17.2.in-addr.arpa
        IN PTR
        Response
        249.197.17.2.in-addr.arpa
        IN PTR
        a2-17-197-249deploystaticakamaitechnologiescom
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 555746
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: AB44A9E5ED3E4CF4BE22D5F9354A1F3C Ref B: LON04EDGE1214 Ref C: 2024-05-22T18:40:37Z
        date: Wed, 22 May 2024 18:40:36 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 638730
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: D488E920B8A144D9BF77E6932FB1468C Ref B: LON04EDGE1214 Ref C: 2024-05-22T18:40:37Z
        date: Wed, 22 May 2024 18:40:36 GMT
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Mr7vzgEaCfzFfD4QeuqcKjVUCUzxhlAbHp151X0tRY1PskbkHk6ZU4ud3iqz8IKLnOLW254SuJnLo1nWRgcd71gkihX2butqogdwCkLY3hB-XgayiUrTJKWmjNW9cnuZunaBCPdID9mqR2yNZ--kUBQcQMGoZkzGmVeWt-1MyqxMmgTJ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D216ca2d2461810a89517c4e92290ce19&TIME=20240508T114022Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
        tls, http2
        2.5kB
        9.0kB
        20
        17

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Mr7vzgEaCfzFfD4QeuqcKjVUCUzxhlAbHp151X0tRY1PskbkHk6ZU4ud3iqz8IKLnOLW254SuJnLo1nWRgcd71gkihX2butqogdwCkLY3hB-XgayiUrTJKWmjNW9cnuZunaBCPdID9mqR2yNZ--kUBQcQMGoZkzGmVeWt-1MyqxMmgTJ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D216ca2d2461810a89517c4e92290ce19&TIME=20240508T114022Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Mr7vzgEaCfzFfD4QeuqcKjVUCUzxhlAbHp151X0tRY1PskbkHk6ZU4ud3iqz8IKLnOLW254SuJnLo1nWRgcd71gkihX2butqogdwCkLY3hB-XgayiUrTJKWmjNW9cnuZunaBCPdID9mqR2yNZ--kUBQcQMGoZkzGmVeWt-1MyqxMmgTJ%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D216ca2d2461810a89517c4e92290ce19&TIME=20240508T114022Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

        HTTP Response

        204
      • 23.62.61.129:443
        https://www.bing.com/aes/c.gif?RG=ede3a7c4848444cd9459f91fae07336c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114022Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182
        tls, http2
        1.4kB
        5.4kB
        16
        12

        HTTP Request

        GET https://www.bing.com/aes/c.gif?RG=ede3a7c4848444cd9459f91fae07336c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114022Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

        HTTP Response

        200
      • 77.91.124.86:19084
        2fO859kL.exe
        260 B
        5
      • 23.62.61.97:443
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        tls, http2
        1.6kB
        6.4kB
        17
        12

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

        HTTP Response

        200
      • 77.91.124.86:19084
        2fO859kL.exe
        260 B
        5
      • 77.91.124.86:19084
        2fO859kL.exe
        260 B
        5
      • 77.91.124.86:19084
        2fO859kL.exe
        260 B
        5
      • 204.79.197.200:443
        https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        tls, http2
        43.3kB
        1.2MB
        908
        905

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
        8.1kB
        16
        14
      • 77.91.124.86:19084
        2fO859kL.exe
        260 B
        5
      • 77.91.124.86:19084
        2fO859kL.exe
        260 B
        5
      • 8.8.8.8:53
        232.168.11.51.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        232.168.11.51.in-addr.arpa

      • 8.8.8.8:53
        133.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        133.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        151 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
        143 B
        1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        129.61.62.23.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        129.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        97.61.62.23.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        97.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        56.126.166.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        56.126.166.20.in-addr.arpa

      • 8.8.8.8:53
        157.123.68.40.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        157.123.68.40.in-addr.arpa

      • 8.8.8.8:53
        241.197.17.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        241.197.17.2.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        249.197.17.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        249.197.17.2.in-addr.arpa

      • 8.8.8.8:53
        43.229.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        43.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
        173 B
        1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        204.79.197.200
        13.107.21.200

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rl1kg6QI.exe

        Filesize

        763KB

        MD5

        8b1bbc64f50355395bcb1a5db47c745f

        SHA1

        d3d57a9c7287325bf4f93b069db72ada20c5922b

        SHA256

        828e120503deee9d6ef83b6e26c95671e95086f760aab0aa8e6cc1bdb8ed06e7

        SHA512

        a6e1f1ca3da8a5a22e5963d0c52ea6dceaf5227581d2d09267f9ff5f1344cce840265b1ef4d2ef4017a1981f311bc81444549cc42a33df09f96ec9315379c5fe

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm1Vv3hD.exe

        Filesize

        567KB

        MD5

        78213866ad15926c9ea68fe266e35680

        SHA1

        7a84af9b69999f36879f8f109f2aceb8cbccd356

        SHA256

        8eceae7113c0962ccadb013a725105ef56a5e1ade3224a8940175ec5b4597ad0

        SHA512

        5eae3aaddaa217f1042c82e77cc61ae439d595d733d6bc89bf11392f9858be7aced1aeeeb1987726fa0ee7fa525e5452fc45995f99243e5f5ab3ba842f751a09

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VP36lc6.exe

        Filesize

        1.1MB

        MD5

        4ddfa486d37c166d7f8028d716e183a1

        SHA1

        0483954e904196b29207bad18bfcfc600d010131

        SHA256

        f3f79ebd412f4e7e5d854c17f4180c6245ae051bc04501473e631d31fbbbfa2f

        SHA512

        42ede28d0211888ae336ef18f09cb506afd3b7d5f5669f8693100aa0cfbca5a30374ae2a8289ab42b2fadbd5630a9d25117dfaf3e900548b270da634bf7fa31e

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2fO859kL.exe

        Filesize

        222KB

        MD5

        a260dc6564e820b08801e5d6cc832025

        SHA1

        d41fba701bac791a17603fae8dff964b97369e67

        SHA256

        9a967fc09ae600774f30dedaaf3378a064082e617132d7414728df288f8dad47

        SHA512

        f650440c7bfdbafbf838ba5d38aee2b1442e116cb53117d5f8019ab6d0549e9077a5bf74364db88657c5b95440a8c1bb920cb17e185fac0e44ee28b2b4de4d97

      • memory/2276-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2276-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2276-23-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2276-25-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2968-29-0x00000000005B0000-0x00000000005EE000-memory.dmp

        Filesize

        248KB

      • memory/2968-30-0x00000000077E0000-0x0000000007D84000-memory.dmp

        Filesize

        5.6MB

      • memory/2968-31-0x0000000007330000-0x00000000073C2000-memory.dmp

        Filesize

        584KB

      • memory/2968-32-0x0000000002760000-0x000000000276A000-memory.dmp

        Filesize

        40KB

      • memory/2968-33-0x00000000083B0000-0x00000000089C8000-memory.dmp

        Filesize

        6.1MB

      • memory/2968-34-0x0000000007D90000-0x0000000007E9A000-memory.dmp

        Filesize

        1.0MB

      • memory/2968-35-0x00000000076C0000-0x00000000076D2000-memory.dmp

        Filesize

        72KB

      • memory/2968-36-0x0000000007720000-0x000000000775C000-memory.dmp

        Filesize

        240KB

      • memory/2968-37-0x0000000007760000-0x00000000077AC000-memory.dmp

        Filesize

        304KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.