Analysis

  • max time kernel
    134s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:40

General

  • Target

    9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe

  • Size

    234KB

  • MD5

    45e93a000b07f25fe943fdf1f7b65357

  • SHA1

    87725546f53447d680f47e63a0cc581dcd4503fa

  • SHA256

    9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755

  • SHA512

    83cb89078894b96f0bf1f7a8ef6b2983d7e21f60bd575004772267424c4603b75e18f9f805535634a9678aa58494f25eb83fdfc36553f25b3c80bdd4691b2c6d

  • SSDEEP

    6144:KBy+bnr+2p0yN90QEHBKyBErKK+iBI/cl:/Mryy90ZxBEz+iBIEl

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
    "C:\Users\Admin\AppData\Local\Temp\9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:392
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:396
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:680
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:4028
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explonde.exe" /P "Admin:N"
              5⤵
                PID:3648
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "explonde.exe" /P "Admin:R" /E
                5⤵
                  PID:2900
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:4968
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\fefffe8cea" /P "Admin:N"
                    5⤵
                      PID:4572
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\fefffe8cea" /P "Admin:R" /E
                      5⤵
                        PID:2540
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:1172
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:1548

              Network

              • flag-us
                DNS
                104.219.191.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                104.219.191.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                203.107.17.2.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                203.107.17.2.in-addr.arpa
                IN PTR
                Response
                203.107.17.2.in-addr.arpa
                IN PTR
                a2-17-107-203deploystaticakamaitechnologiescom
              • flag-us
                DNS
                g.bing.com
                Remote address:
                8.8.8.8:53
                Request
                g.bing.com
                IN A
                Response
                g.bing.com
                IN CNAME
                g-bing-com.dual-a-0034.a-msedge.net
                g-bing-com.dual-a-0034.a-msedge.net
                IN CNAME
                dual-a-0034.dc-msedge.net
                dual-a-0034.dc-msedge.net
                IN A
                131.253.33.237
                dual-a-0034.dc-msedge.net
                IN A
                13.107.22.237
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
                Remote address:
                131.253.33.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MUID=0F478DA7DA8867951A70992FDB8E664D; domain=.bing.com; expires=Tue, 17-Jun-2025 09:42:13 GMT; path=/; SameSite=None; Secure; Priority=High;
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 3485AD07EE0246EA8977D59DFC215996 Ref B: LON212050703033 Ref C: 2024-05-23T09:42:13Z
                date: Thu, 23 May 2024 09:42:12 GMT
              • flag-us
                GET
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
                Remote address:
                131.253.33.237:443
                Request
                GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
                host: g.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=0F478DA7DA8867951A70992FDB8E664D; _EDGE_S=SID=12F7E2377074662C1C00F6BF7118678B
                Response
                HTTP/2.0 204
                cache-control: no-cache, must-revalidate
                pragma: no-cache
                expires: Fri, 01 Jan 1990 00:00:00 GMT
                set-cookie: MSPTC=TEi-2eTW4dyiUBDsfA6r6sL3b7RT2VzrfwCS6jhrGxg; domain=.bing.com; expires=Tue, 17-Jun-2025 09:42:13 GMT; path=/; Partitioned; secure; SameSite=None
                strict-transport-security: max-age=31536000; includeSubDomains; preload
                access-control-allow-origin: *
                x-cache: CONFIG_NOCACHE
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: F307C8667A67484C9DE7B97CAB8896C6 Ref B: LON212050703033 Ref C: 2024-05-23T09:42:13Z
                date: Thu, 23 May 2024 09:42:13 GMT
              • flag-nl
                GET
                https://www.bing.com/aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
                Remote address:
                23.62.61.155:443
                Request
                GET /aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
                host: www.bing.com
                accept-encoding: gzip, deflate
                user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                cookie: MUID=0F478DA7DA8867951A70992FDB8E664D
                Response
                HTTP/2.0 200
                cache-control: private,no-store
                pragma: no-cache
                vary: Origin
                p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: A8450BFC701E4809A4D9042F7412B295 Ref B: BRU30EDGE0610 Ref C: 2024-05-23T09:42:13Z
                content-length: 0
                date: Thu, 23 May 2024 09:42:13 GMT
                set-cookie: _EDGE_S=SID=12F7E2377074662C1C00F6BF7118678B; path=/; httponly; domain=bing.com
                set-cookie: MUIDB=0F478DA7DA8867951A70992FDB8E664D; path=/; httponly; expires=Tue, 17-Jun-2025 09:42:13 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.973d3e17.1716457333.1f1946cd
              • flag-us
                DNS
                237.33.253.131.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                237.33.253.131.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                14.160.190.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                14.160.190.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                155.61.62.23.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                155.61.62.23.in-addr.arpa
                IN PTR
                Response
                155.61.62.23.in-addr.arpa
                IN PTR
                a23-62-61-155deploystaticakamaitechnologiescom
              • flag-nl
                GET
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                Remote address:
                23.62.61.155:443
                Request
                GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                host: www.bing.com
                accept: */*
                cookie: MUID=0F478DA7DA8867951A70992FDB8E664D; _EDGE_S=SID=12F7E2377074662C1C00F6BF7118678B; MSPTC=TEi-2eTW4dyiUBDsfA6r6sL3b7RT2VzrfwCS6jhrGxg; MUIDB=0F478DA7DA8867951A70992FDB8E664D
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-type: image/png
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                content-length: 1107
                date: Thu, 23 May 2024 09:42:14 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.973d3e17.1716457334.1f19523e
              • flag-us
                DNS
                88.156.103.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                88.156.103.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                55.36.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                55.36.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                48.229.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                48.229.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 659775
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 36E7AF5DFEBF4167AE57CD912F2EC180 Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
                date: Thu, 23 May 2024 09:43:46 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 792794
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 21855B6A5C0D4C1E806220EB9B24F799 Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
                date: Thu, 23 May 2024 09:43:46 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 627437
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 45A76309426B4D33939C5D963523C651 Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
                date: Thu, 23 May 2024 09:43:46 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 621794
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 685830E06FE8447A8B2850E9A90B1FAD Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
                date: Thu, 23 May 2024 09:43:47 GMT
              • flag-us
                DNS
                25.73.42.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                25.73.42.20.in-addr.arpa
                IN PTR
                Response
              • 131.253.33.237:443
                https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
                tls, http2
                2.5kB
                9.0kB
                19
                17

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

                HTTP Response

                204

                HTTP Request

                GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

                HTTP Response

                204
              • 23.62.61.155:443
                https://www.bing.com/aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
                tls, http2
                1.5kB
                5.3kB
                17
                11

                HTTP Request

                GET https://www.bing.com/aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

                HTTP Response

                200
              • 23.62.61.155:443
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                tls, http2
                1.7kB
                6.4kB
                18
                13

                HTTP Request

                GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                HTTP Response

                200
              • 77.91.68.52:80
                explonde.exe
                260 B
                5
              • 77.91.68.52:80
                explonde.exe
                260 B
                5
              • 52.111.227.14:443
                322 B
                7
              • 77.91.68.52:80
                explonde.exe
                260 B
                5
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                tls, http2
                102.4kB
                2.8MB
                2025
                2021

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 8.8.8.8:53
                104.219.191.52.in-addr.arpa
                dns
                73 B
                147 B
                1
                1

                DNS Request

                104.219.191.52.in-addr.arpa

              • 8.8.8.8:53
                203.107.17.2.in-addr.arpa
                dns
                71 B
                135 B
                1
                1

                DNS Request

                203.107.17.2.in-addr.arpa

              • 8.8.8.8:53
                g.bing.com
                dns
                56 B
                173 B
                1
                1

                DNS Request

                g.bing.com

                DNS Response

                131.253.33.237
                13.107.22.237

              • 8.8.8.8:53
                237.33.253.131.in-addr.arpa
                dns
                73 B
                143 B
                1
                1

                DNS Request

                237.33.253.131.in-addr.arpa

              • 8.8.8.8:53
                14.160.190.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                14.160.190.20.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                155.61.62.23.in-addr.arpa
                dns
                71 B
                135 B
                1
                1

                DNS Request

                155.61.62.23.in-addr.arpa

              • 8.8.8.8:53
                88.156.103.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                88.156.103.20.in-addr.arpa

              • 8.8.8.8:53
                55.36.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                55.36.223.20.in-addr.arpa

              • 8.8.8.8:53
                48.229.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                48.229.111.52.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              • 8.8.8.8:53
                25.73.42.20.in-addr.arpa
                dns
                70 B
                156 B
                1
                1

                DNS Request

                25.73.42.20.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe

                Filesize

                12KB

                MD5

                05d44dca7da313a6875ab2e2ce15cf4c

                SHA1

                fb62bcfc8209d7246dce532fd00d4ea2d56ecb71

                SHA256

                b894a0dc444adc2774ca868edb76d306b089eccd9dbea910c9a5f8bb7f4dc50c

                SHA512

                01075dd204512cb35dcd4cb0f77fe2962ee2e8709ff48cf36b3e681b96caafe1c4edcb0b4cab6be77754f791907dfd368570b425e89f740231578f19e2fc3fb7

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exe

                Filesize

                221KB

                MD5

                a179aaa8b2da45d6806e6a737696d101

                SHA1

                0d5e6174461ffb16368cd80216abca674d893660

                SHA256

                f13ad3f74496d3eb644233b1f70c1b9c10abdd4b777007daa0d391fbfdd44a73

                SHA512

                41b53c48d9f6ba2bb744e48654957b12c93493cb1f2bfc11bac85694eaac5642bb3480fbaea1d16d5a89b886289efcbfc527c762114a4d85f7cbbef7eac3d375

              • memory/2988-7-0x00000000001B0000-0x00000000001BA000-memory.dmp

                Filesize

                40KB

              • memory/2988-8-0x00007FFF84243000-0x00007FFF84245000-memory.dmp

                Filesize

                8KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.