Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 10:02 UTC

General

  • Target

    14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe

  • Size

    1.1MB

  • MD5

    b0be87fbefa8fb816eda48b5873f30e6

  • SHA1

    580f46fb499394653f1c7a29a1bc0baccad32c0a

  • SHA256

    14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19

  • SHA512

    b7292045ce5adf9297dc9a4e68f9f749cab705e8dfb229fb4a8159d675d627ddd741733f6d06ca36b9987c3f8ea9f4d3fc61a9135dd18d3c7af176be124769f8

  • SSDEEP

    24576:Jy29JdP9SYg8rvouFInG4qc3+BbLMtuQ/dIkFSE9s31hV:825FSYggoIInGu42uqdIke31h

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
    "C:\Users\Admin\AppData\Local\Temp\14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2568
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:1708

      Network

      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        67.31.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.31.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=1A4DC791FC146A0C2991D319FDF46BDE; domain=.bing.com; expires=Tue, 17-Jun-2025 10:03:05 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 5DA2D003B5494DE599A1AA5D52F4C76F Ref B: LON04EDGE1006 Ref C: 2024-05-23T10:03:05Z
        date: Thu, 23 May 2024 10:03:04 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=1A4DC791FC146A0C2991D319FDF46BDE; _EDGE_S=SID=146F0E6ED020645E3ABA1AE6D1596595
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=SXjcbxAfVxIwOdNbXf4cc7FFidEIyV-vBYraB3W43Ys; domain=.bing.com; expires=Tue, 17-Jun-2025 10:03:05 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 956DB7952922490D803E24D2197BAE52 Ref B: LON04EDGE1006 Ref C: 2024-05-23T10:03:05Z
        date: Thu, 23 May 2024 10:03:04 GMT
      • flag-nl
        GET
        https://www.bing.com/aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182
        Remote address:
        23.62.61.160:443
        Request
        GET /aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
        host: www.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=1A4DC791FC146A0C2991D319FDF46BDE
        Response
        HTTP/2.0 200
        cache-control: private,no-store
        pragma: no-cache
        vary: Origin
        p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: C34EC8599F894D7294C9E77E2B1BE999 Ref B: LON212050719039 Ref C: 2024-05-23T10:03:05Z
        content-length: 0
        date: Thu, 23 May 2024 10:03:05 GMT
        set-cookie: _EDGE_S=SID=146F0E6ED020645E3ABA1AE6D1596595; path=/; httponly; domain=bing.com
        set-cookie: MUIDB=1A4DC791FC146A0C2991D319FDF46BDE; path=/; httponly; expires=Tue, 17-Jun-2025 10:03:05 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.9c3d3e17.1716458585.7ed412b
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        160.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        160.61.62.23.in-addr.arpa
        IN PTR
        Response
        160.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-160deploystaticakamaitechnologiescom
      • flag-nl
        GET
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        Remote address:
        23.62.61.160:443
        Request
        GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        cookie: MUID=1A4DC791FC146A0C2991D319FDF46BDE; _EDGE_S=SID=146F0E6ED020645E3ABA1AE6D1596595; MSPTC=SXjcbxAfVxIwOdNbXf4cc7FFidEIyV-vBYraB3W43Ys; MUIDB=1A4DC791FC146A0C2991D319FDF46BDE
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 1107
        date: Thu, 23 May 2024 10:03:06 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.9c3d3e17.1716458586.7ed43d2
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.165.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.165.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 555746
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: C90EE260C2B941F28BF08D6055A5B3BD Ref B: LON04EDGE0621 Ref C: 2024-05-23T10:04:44Z
        date: Thu, 23 May 2024 10:04:43 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 638730
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: F33D9966B42042FC95E2AC71FC28E409 Ref B: LON04EDGE0621 Ref C: 2024-05-23T10:04:44Z
        date: Thu, 23 May 2024 10:04:43 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 659775
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 287D33C599FF441BB7010FA2421BCD49 Ref B: LON04EDGE0621 Ref C: 2024-05-23T10:04:44Z
        date: Thu, 23 May 2024 10:04:43 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 621794
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 56787D04D6AA4C15BF139C5D79E5F7BE Ref B: LON04EDGE0621 Ref C: 2024-05-23T10:04:44Z
        date: Thu, 23 May 2024 10:04:43 GMT
      • flag-us
        DNS
        198.111.78.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.111.78.13.in-addr.arpa
        IN PTR
        Response
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        AppLaunch.exe
        260 B
        5
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48
        tls, http2
        2.6kB
        9.0kB
        20
        17

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8nYQZjUMUXYGux9VoBWwRJDVUCUw1b9GuT9YtvC1MxbCevlmj-70gWhxTrQIZk0WRi2pL6AKGXZuhKK_X3mqWGeRjeRlMPRIq1DwM87uveC0W4EOFtiuq2B-UwyCU0xwPjR0PIgSl8LauAv8IYRFIbpjGxReLFVLgQ8m1PsBkXmfuWV_v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3Ded80a89694bf1f8c46c5ceadf67f5c13&TIME=20240508T113320Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

        HTTP Response

        204
      • 23.62.61.160:443
        https://www.bing.com/aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182
        tls, http2
        1.4kB
        5.3kB
        16
        10

        HTTP Request

        GET https://www.bing.com/aes/c.gif?RG=e9b42bdfca6043a783900be0ee25f04f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113320Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

        HTTP Response

        200
      • 23.62.61.160:443
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        tls, http2
        1.6kB
        6.4kB
        17
        12

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

        HTTP Response

        200
      • 194.49.94.152:50500
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        AppLaunch.exe
        260 B
        5
      • 204.79.197.200:443
        https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        tls, http2
        88.3kB
        2.6MB
        1877
        1871

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.3kB
        8.5kB
        17
        14
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.3kB
        8.5kB
        17
        14
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.3kB
        8.5kB
        17
        14
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        67.31.126.40.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        67.31.126.40.in-addr.arpa

      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        151 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
        143 B
        1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        160.61.62.23.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        160.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        26.165.165.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        26.165.165.52.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        43.229.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        43.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
        173 B
        1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53
        198.111.78.13.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        198.111.78.13.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11EO0041.exe

        Filesize

        1.1MB

        MD5

        7ce2856f7d27efaf76b33765a7859ad3

        SHA1

        292a9ac5216f71a8c9858169c46a1797b27e530d

        SHA256

        4dd502f1c6b2373660a1a9c0ed7114649ef9abb26d2812003c62a6dd98e4a205

        SHA512

        571221efa90160376e6cd6f6e7dca3a23bd194876cd952f387c7b663750ed6a9f4f017664ac0393dc80852261779f1f1b28ef0cb513e091b093c47caf7cb4de2

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Zu663.exe

        Filesize

        2.4MB

        MD5

        cc91fef9c297d0fe5eb417c1afabc474

        SHA1

        6941d8209cadf07100606b65ca7b66eb8f47cd1f

        SHA256

        92bdf0c031747ef12099e9d371b82bf5370598ad47840af9f79e5f57627a589f

        SHA512

        a3248d0acb4488d3ee023dd2a1b9b53b6ef3cc1b2218a75a74d7c9231b34b045d773060251e018db23ef1f5b3244f78136aa2f2e9f10372fcea2ef9fac118c08

      • memory/1708-22-0x0000000000400000-0x0000000000547000-memory.dmp

        Filesize

        1.3MB

      • memory/1708-25-0x0000000000400000-0x0000000000547000-memory.dmp

        Filesize

        1.3MB

      • memory/1708-24-0x0000000000400000-0x0000000000547000-memory.dmp

        Filesize

        1.3MB

      • memory/1708-21-0x0000000000400000-0x0000000000547000-memory.dmp

        Filesize

        1.3MB

      • memory/2568-16-0x0000000008D40000-0x0000000009358000-memory.dmp

        Filesize

        6.1MB

      • memory/2568-15-0x0000000074970000-0x0000000075120000-memory.dmp

        Filesize

        7.7MB

      • memory/2568-14-0x00000000030E0000-0x00000000030EA000-memory.dmp

        Filesize

        40KB

      • memory/2568-17-0x0000000007F30000-0x000000000803A000-memory.dmp

        Filesize

        1.0MB

      • memory/2568-18-0x0000000007DA0000-0x0000000007DB2000-memory.dmp

        Filesize

        72KB

      • memory/2568-19-0x0000000007E20000-0x0000000007E5C000-memory.dmp

        Filesize

        240KB

      • memory/2568-20-0x0000000007E60000-0x0000000007EAC000-memory.dmp

        Filesize

        304KB

      • memory/2568-13-0x0000000007BC0000-0x0000000007C52000-memory.dmp

        Filesize

        584KB

      • memory/2568-12-0x0000000008170000-0x0000000008714000-memory.dmp

        Filesize

        5.6MB

      • memory/2568-10-0x000000007497E000-0x000000007497F000-memory.dmp

        Filesize

        4KB

      • memory/2568-7-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

      • memory/2568-26-0x000000007497E000-0x000000007497F000-memory.dmp

        Filesize

        4KB

      • memory/2568-27-0x0000000074970000-0x0000000075120000-memory.dmp

        Filesize

        7.7MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.