Analysis

  • max time kernel
    133s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

General

  • Target

    e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe

  • Size

    942KB

  • MD5

    bba52e4949076e23493f303121140f12

  • SHA1

    68fac8b6f4abca233af3fe66f8f956137d7e8bda

  • SHA256

    e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74

  • SHA512

    72bc8de3843e7100720b604e3156fe884f8f2b4a02d2c5b9b01c61caf6d1339b012ae339625e2032eeae6ef8bb90dcf6f87368830e193a3e6adb5b13efcb0911

  • SSDEEP

    12288:1MrWy90qwwTA4eeGo83wqmLwhZ+tRnJlDXKmmp2zWuc+UNd0+u3zDOB2KtEJ4N6l:zyT/4PmsrgjlDXMoWD/gD3V40g088x

Malware Config

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe
    "C:\Users\Admin\AppData\Local\Temp\e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3041458.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3041458.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0935809.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0935809.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3855419.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3855419.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6636474.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6636474.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:1340
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 568
                6⤵
                • Program crash
                PID:4572
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5231884.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5231884.exe
              5⤵
              • Executes dropped EXE
              PID:872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2524 -ip 2524
      1⤵
        PID:704
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3444,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
        1⤵
          PID:2892

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          209.205.72.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          209.205.72.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          0.204.248.87.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.204.248.87.in-addr.arpa
          IN PTR
          Response
          0.204.248.87.in-addr.arpa
          IN PTR
          https-87-248-204-0lhrllnwnet
        • flag-us
          DNS
          4.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          4.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          228.249.119.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          228.249.119.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=375C30BA6A1D642D3F79243D6B3A65AB; domain=.bing.com; expires=Mon, 16-Jun-2025 19:05:06 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 28219B58550C4AFAAC2CE4F5E86A9FBB Ref B: LON04EDGE0610 Ref C: 2024-05-22T19:05:06Z
          date: Wed, 22 May 2024 19:05:05 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=375C30BA6A1D642D3F79243D6B3A65AB
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=WqKY1SbponvHep_Svl8pzsT9fCnQQNVj0SqfllPQ2Ws; domain=.bing.com; expires=Mon, 16-Jun-2025 19:05:06 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 571FE611C6A34660B1D4C6E5F8114F51 Ref B: LON04EDGE0610 Ref C: 2024-05-22T19:05:06Z
          date: Wed, 22 May 2024 19:05:05 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=375C30BA6A1D642D3F79243D6B3A65AB; MSPTC=WqKY1SbponvHep_Svl8pzsT9fCnQQNVj0SqfllPQ2Ws
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: B44F1C7FFF9640E59D7639D760AA9401 Ref B: LON04EDGE0610 Ref C: 2024-05-22T19:05:06Z
          date: Wed, 22 May 2024 19:05:05 GMT
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-nl
          GET
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          Remote address:
          23.62.61.155:443
          Request
          GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
          host: www.bing.com
          accept: */*
          cookie: MUID=375C30BA6A1D642D3F79243D6B3A65AB; MSPTC=WqKY1SbponvHep_Svl8pzsT9fCnQQNVj0SqfllPQ2Ws
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-type: image/png
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          content-length: 1107
          date: Wed, 22 May 2024 19:05:07 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.973d3e17.1716404707.1c48bb23
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          155.61.62.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          155.61.62.23.in-addr.arpa
          IN PTR
          Response
          155.61.62.23.in-addr.arpa
          IN PTR
          a23-62-61-155deploystaticakamaitechnologiescom
        • flag-us
          DNS
          217.106.137.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          217.106.137.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          198.187.3.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          198.187.3.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          19.229.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          19.229.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          0.205.248.87.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.205.248.87.in-addr.arpa
          IN PTR
          Response
          0.205.248.87.in-addr.arpa
          IN PTR
          https-87-248-205-0lgwllnwnet
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 638730
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 8BF4D25E805D417287A1C2C31C38A663 Ref B: LON04EDGE1018 Ref C: 2024-05-22T19:06:44Z
          date: Wed, 22 May 2024 19:06:43 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 555746
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 48E524DF23A0431697F8F4984C5AA3EE Ref B: LON04EDGE1018 Ref C: 2024-05-22T19:06:44Z
          date: Wed, 22 May 2024 19:06:43 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 415458
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: C60A97F0382940499310382083C71AFE Ref B: LON04EDGE1018 Ref C: 2024-05-22T19:06:44Z
          date: Wed, 22 May 2024 19:06:43 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 430689
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 52C6FEA3B0C84B4D999B319487A6F533 Ref B: LON04EDGE1018 Ref C: 2024-05-22T19:06:44Z
          date: Wed, 22 May 2024 19:06:43 GMT
        • flag-us
          DNS
          43.58.199.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          43.58.199.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          200.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.197.79.204.in-addr.arpa
          IN PTR
          Response
          200.197.79.204.in-addr.arpa
          IN PTR
          a-0001a-msedgenet
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
          tls, http2
          2.0kB
          9.2kB
          21
          19

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

          HTTP Response

          204
        • 77.91.124.82:19071
          h5231884.exe
          260 B
          5
        • 23.62.61.155:443
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          tls, http2
          1.6kB
          7.6kB
          17
          12

          HTTP Request

          GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

          HTTP Response

          200
        • 77.91.124.82:19071
          h5231884.exe
          260 B
          5
        • 77.91.124.82:19071
          h5231884.exe
          260 B
          5
        • 77.91.124.82:19071
          h5231884.exe
          260 B
          5
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          14
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          77.7kB
          2.1MB
          1551
          1547

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200
        • 77.91.124.82:19071
          h5231884.exe
          260 B
          5
        • 77.91.124.82:19071
          h5231884.exe
          260 B
          5
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
          90 B
          1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          209.205.72.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          209.205.72.20.in-addr.arpa

        • 8.8.8.8:53
          0.204.248.87.in-addr.arpa
          dns
          71 B
          116 B
          1
          1

          DNS Request

          0.204.248.87.in-addr.arpa

        • 8.8.8.8:53
          4.159.190.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          4.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          228.249.119.40.in-addr.arpa
          dns
          73 B
          159 B
          1
          1

          DNS Request

          228.249.119.40.in-addr.arpa

        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
          151 B
          1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
          143 B
          1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          155.61.62.23.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          155.61.62.23.in-addr.arpa

        • 8.8.8.8:53
          217.106.137.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          217.106.137.52.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
          156 B
          1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          198.187.3.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          198.187.3.20.in-addr.arpa

        • 8.8.8.8:53
          19.229.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          19.229.111.52.in-addr.arpa

        • 8.8.8.8:53
          0.205.248.87.in-addr.arpa
          dns
          71 B
          116 B
          1
          1

          DNS Request

          0.205.248.87.in-addr.arpa

        • 8.8.8.8:53
          240.221.184.93.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          240.221.184.93.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
          173 B
          1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53
          43.58.199.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          43.58.199.20.in-addr.arpa

        • 8.8.8.8:53
          200.197.79.204.in-addr.arpa
          dns
          73 B
          106 B
          1
          1

          DNS Request

          200.197.79.204.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3041458.exe

          Filesize

          840KB

          MD5

          d8050c8deeee7e32b9e1590cdacc9ce9

          SHA1

          1a453059b20191fffb80cb3df50a8c4d86655c27

          SHA256

          1ec1a4407e6e89e354e98b2e71c01699a558b1162a260ec8044c3227f79b212e

          SHA512

          d0065c931220cdd9fa9daa2791cbbd3c286f56b15223e698d3323627664d093b5a864e8062328af99288889ec7431ea82a7d1207fa858965db6ba40b79352332

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0935809.exe

          Filesize

          563KB

          MD5

          84c11718043a7223489608e0cf1d3862

          SHA1

          00125c2ecf62a9ab378b98209ba564086d2d2ce8

          SHA256

          d25d74570e847f853a1de2eb7506f01af1aa9050317a32bf57f1fdcf6cd94b57

          SHA512

          a55f55998efdada222d37fa768f76e99f81ea25cf92a3d1c76aa3eb1057e48f30885f35db5f31a23e7d506f36f5e348eae02491580482bebc1aa020b4799ba5b

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3855419.exe

          Filesize

          397KB

          MD5

          fd6937a5b9d790da61447ada24ce64c6

          SHA1

          dcd7f9e341ae313a516ace24be4c58a5d873c945

          SHA256

          ee77d51fe149445ee6356ec003930deb130922bc485a86044d9eb8da5eaec2ea

          SHA512

          60cdde8c717f20e04d9e70254e3d3457bf7f74fd2eaec4b29d27c1e405a82494d9ef4165b792c6028044a35d12f3f08261c0ec1bca8bbc8a4a525a60c49ed18d

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6636474.exe

          Filesize

          379KB

          MD5

          68d306db94ed0c2c3368c7f1996eebe4

          SHA1

          ff29e458999dc872d779f1ff4a66edd87fd45158

          SHA256

          36bb33f3f21f9b5f8dff30bc6a9b5b21108dab5dd6b03d29a15f1d39572a786c

          SHA512

          0c35e6f3b908472799a37860c866f7cbf9fdbb8c1df9b6ff8b612fca168116be714a880eac5791522e91803028cb4be22aa13951d2a364cb63c24384898f5c0a

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5231884.exe

          Filesize

          174KB

          MD5

          abeb13889416156609b938e05143441f

          SHA1

          76264e6c711f89fd8e96f6bb12be2a9867678259

          SHA256

          ad04617501d41fb2040b041a74f0787b15932b1899e6a0dec2d1ae9ecbe05bc4

          SHA512

          fe8832141d8e2a1d9fa6962f242a85a22ea07695615f31d8017a3bfbeeab65c9d5c0680180aa8feee5b453a473fa056d9da0638e27fe84894741c892554484b5

        • memory/872-36-0x0000000001250000-0x0000000001256000-memory.dmp

          Filesize

          24KB

        • memory/872-35-0x00000000008B0000-0x00000000008E0000-memory.dmp

          Filesize

          192KB

        • memory/872-37-0x0000000005890000-0x0000000005EA8000-memory.dmp

          Filesize

          6.1MB

        • memory/872-38-0x0000000005380000-0x000000000548A000-memory.dmp

          Filesize

          1.0MB

        • memory/872-39-0x0000000002CF0000-0x0000000002D02000-memory.dmp

          Filesize

          72KB

        • memory/872-40-0x00000000052B0000-0x00000000052EC000-memory.dmp

          Filesize

          240KB

        • memory/872-41-0x00000000052F0000-0x000000000533C000-memory.dmp

          Filesize

          304KB

        • memory/1340-29-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1340-31-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1340-28-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.