Overview
overview
10Static
static
30848e1e7e1...63.exe
windows10-2004-x64
101106a57fdf...a5.exe
windows10-2004-x64
10185a521367...e2.exe
windows10-2004-x64
101a2ed241f7...81.exe
windows10-2004-x64
103933af1a19...66.exe
windows10-2004-x64
104046412564...e5.exe
windows10-2004-x64
1048b2c44ad3...cf.exe
windows10-2004-x64
106fdb50a007...59.exe
windows10-2004-x64
10708b7d578b...65.exe
windows10-2004-x64
1073dc042440...3f.exe
windows10-2004-x64
109a45e9c206...55.exe
windows10-2004-x64
109a8f8e9a46...09.exe
windows10-2004-x64
109ab135934b...fe.exe
windows10-2004-x64
10ab010a807d...38.exe
windows10-2004-x64
10b85fd724a0...c4.exe
windows10-2004-x64
10d940f9b9c6...49.exe
windows10-2004-x64
10dc87cba915...e1.exe
windows10-2004-x64
10e7bd826b7a...05.exe
windows10-2004-x64
10ffbf9f9530...19.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
0848e1e7e128d7f1f97806b2608b355879b602ba08e121497f133be212790f63.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1a2ed241f75ba217ad63fa42ab55e56d8f009f93b151dd367b73459e26169081.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
3933af1a190b049a02aad532333dad6c4862e46b510cc0ec5184873641cc3166.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
48b2c44ad346117214bc572f969741dfa0acfcd1fc6e23b00cdeb324c9f00fcf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
ab010a807d239acb2941ec42032df7751afe90303b101088fee9d258794e4a38.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b85fd724a0f0185fdd32093b1f07f4f209b862b9406e12882311cd820c17cac4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
dc87cba915fb6101c577a0531cedb5d304be24abd22d9faa34b7a606ccc5f8e1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e7bd826b7a1c65ad222cefa93d7967f2a11f90fd400aa046a5a96ec60cff1a05.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe
Resource
win10v2004-20240426-en
General
-
Target
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
-
Size
234KB
-
MD5
45e93a000b07f25fe943fdf1f7b65357
-
SHA1
87725546f53447d680f47e63a0cc581dcd4503fa
-
SHA256
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755
-
SHA512
83cb89078894b96f0bf1f7a8ef6b2983d7e21f60bd575004772267424c4603b75e18f9f805535634a9678aa58494f25eb83fdfc36553f25b3c80bdd4691b2c6d
-
SSDEEP
6144:KBy+bnr+2p0yN90QEHBKyBErKK+iBI/cl:/Mryy90ZxBEz+iBIEl
Malware Config
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral11/files/0x000900000002342d-5.dat healer behavioral11/memory/2988-7-0x00000000001B0000-0x00000000001BA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q7686010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q7686010.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation r7196851.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation explonde.exe -
Executes dropped EXE 5 IoCs
pid Process 2988 q7686010.exe 1496 r7196851.exe 392 explonde.exe 1172 explonde.exe 1548 explonde.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q7686010.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 396 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2988 q7686010.exe 2988 q7686010.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2988 q7686010.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4724 wrote to memory of 2988 4724 9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe 85 PID 4724 wrote to memory of 2988 4724 9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe 85 PID 4724 wrote to memory of 1496 4724 9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe 96 PID 4724 wrote to memory of 1496 4724 9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe 96 PID 4724 wrote to memory of 1496 4724 9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe 96 PID 1496 wrote to memory of 392 1496 r7196851.exe 97 PID 1496 wrote to memory of 392 1496 r7196851.exe 97 PID 1496 wrote to memory of 392 1496 r7196851.exe 97 PID 392 wrote to memory of 396 392 explonde.exe 98 PID 392 wrote to memory of 396 392 explonde.exe 98 PID 392 wrote to memory of 396 392 explonde.exe 98 PID 392 wrote to memory of 680 392 explonde.exe 100 PID 392 wrote to memory of 680 392 explonde.exe 100 PID 392 wrote to memory of 680 392 explonde.exe 100 PID 680 wrote to memory of 4028 680 cmd.exe 102 PID 680 wrote to memory of 4028 680 cmd.exe 102 PID 680 wrote to memory of 4028 680 cmd.exe 102 PID 680 wrote to memory of 3648 680 cmd.exe 103 PID 680 wrote to memory of 3648 680 cmd.exe 103 PID 680 wrote to memory of 3648 680 cmd.exe 103 PID 680 wrote to memory of 2900 680 cmd.exe 104 PID 680 wrote to memory of 2900 680 cmd.exe 104 PID 680 wrote to memory of 2900 680 cmd.exe 104 PID 680 wrote to memory of 4968 680 cmd.exe 105 PID 680 wrote to memory of 4968 680 cmd.exe 105 PID 680 wrote to memory of 4968 680 cmd.exe 105 PID 680 wrote to memory of 4572 680 cmd.exe 106 PID 680 wrote to memory of 4572 680 cmd.exe 106 PID 680 wrote to memory of 4572 680 cmd.exe 106 PID 680 wrote to memory of 2540 680 cmd.exe 107 PID 680 wrote to memory of 2540 680 cmd.exe 107 PID 680 wrote to memory of 2540 680 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe"C:\Users\Admin\AppData\Local\Temp\9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F4⤵
- Creates scheduled task(s)
PID:396
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4028
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"5⤵PID:3648
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E5⤵PID:2900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4968
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵PID:4572
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵PID:2540
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:1172
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:1548
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request203.107.17.2.in-addr.arpaIN PTRResponse203.107.17.2.in-addr.arpaIN PTRa2-17-107-203deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.dc-msedge.netdual-a-0034.dc-msedge.netIN A131.253.33.237dual-a-0034.dc-msedge.netIN A13.107.22.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949Remote address:131.253.33.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0F478DA7DA8867951A70992FDB8E664D; domain=.bing.com; expires=Tue, 17-Jun-2025 09:42:13 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3485AD07EE0246EA8977D59DFC215996 Ref B: LON212050703033 Ref C: 2024-05-23T09:42:13Z
date: Thu, 23 May 2024 09:42:12 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949Remote address:131.253.33.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0F478DA7DA8867951A70992FDB8E664D; _EDGE_S=SID=12F7E2377074662C1C00F6BF7118678B
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=TEi-2eTW4dyiUBDsfA6r6sL3b7RT2VzrfwCS6jhrGxg; domain=.bing.com; expires=Tue, 17-Jun-2025 09:42:13 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F307C8667A67484C9DE7B97CAB8896C6 Ref B: LON212050703033 Ref C: 2024-05-23T09:42:13Z
date: Thu, 23 May 2024 09:42:13 GMT
-
GEThttps://www.bing.com/aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038Remote address:23.62.61.155:443RequestGET /aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0F478DA7DA8867951A70992FDB8E664D
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A8450BFC701E4809A4D9042F7412B295 Ref B: BRU30EDGE0610 Ref C: 2024-05-23T09:42:13Z
content-length: 0
date: Thu, 23 May 2024 09:42:13 GMT
set-cookie: _EDGE_S=SID=12F7E2377074662C1C00F6BF7118678B; path=/; httponly; domain=bing.com
set-cookie: MUIDB=0F478DA7DA8867951A70992FDB8E664D; path=/; httponly; expires=Tue, 17-Jun-2025 09:42:13 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.973d3e17.1716457333.1f1946cd
-
Remote address:8.8.8.8:53Request237.33.253.131.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request155.61.62.23.in-addr.arpaIN PTRResponse155.61.62.23.in-addr.arpaIN PTRa23-62-61-155deploystaticakamaitechnologiescom
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.155:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=0F478DA7DA8867951A70992FDB8E664D; _EDGE_S=SID=12F7E2377074662C1C00F6BF7118678B; MSPTC=TEi-2eTW4dyiUBDsfA6r6sL3b7RT2VzrfwCS6jhrGxg; MUIDB=0F478DA7DA8867951A70992FDB8E664D
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 23 May 2024 09:42:14 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.973d3e17.1716457334.1f19523e
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 36E7AF5DFEBF4167AE57CD912F2EC180 Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
date: Thu, 23 May 2024 09:43:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 21855B6A5C0D4C1E806220EB9B24F799 Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
date: Thu, 23 May 2024 09:43:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 45A76309426B4D33939C5D963523C651 Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
date: Thu, 23 May 2024 09:43:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 685830E06FE8447A8B2850E9A90B1FAD Ref B: LON04EDGE1221 Ref C: 2024-05-23T09:43:47Z
date: Thu, 23 May 2024 09:43:47 GMT
-
Remote address:8.8.8.8:53Request25.73.42.20.in-addr.arpaIN PTRResponse
-
131.253.33.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949tls, http22.5kB 9.0kB 19 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De87j98TsfPMKdI27PQaOze-zVUCUzIxxbnTLuGtEugo6ma8cMTZIlqxK5btKd3mWqk9LEXH-T7TX3f05mvEbxYyW8SjrIHw481PPXv0npBt3aX37dTmUCqsiko5o3pcYxELuhCCicuGQNuGwcoNxWWlRmNViIwY7OONtstDjlQNpJYqXm1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D3c7ed4b81d4b10738576b293baa380d1&TIME=20240426T131134Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949HTTP Response
204 -
23.62.61.155:443https://www.bing.com/aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038tls, http21.5kB 5.3kB 17 11
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=0db1dd24404b44958046b95868bb291e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131134Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038HTTP Response
200 -
23.62.61.155:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.7kB 6.4kB 18 13
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2102.4kB 2.8MB 2025 2021
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
203.107.17.2.in-addr.arpa
-
56 B 173 B 1 1
DNS Request
g.bing.com
DNS Response
131.253.33.23713.107.22.237
-
73 B 143 B 1 1
DNS Request
237.33.253.131.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
155.61.62.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
70 B 156 B 1 1
DNS Request
25.73.42.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD505d44dca7da313a6875ab2e2ce15cf4c
SHA1fb62bcfc8209d7246dce532fd00d4ea2d56ecb71
SHA256b894a0dc444adc2774ca868edb76d306b089eccd9dbea910c9a5f8bb7f4dc50c
SHA51201075dd204512cb35dcd4cb0f77fe2962ee2e8709ff48cf36b3e681b96caafe1c4edcb0b4cab6be77754f791907dfd368570b425e89f740231578f19e2fc3fb7
-
Filesize
221KB
MD5a179aaa8b2da45d6806e6a737696d101
SHA10d5e6174461ffb16368cd80216abca674d893660
SHA256f13ad3f74496d3eb644233b1f70c1b9c10abdd4b777007daa0d391fbfdd44a73
SHA51241b53c48d9f6ba2bb744e48654957b12c93493cb1f2bfc11bac85694eaac5642bb3480fbaea1d16d5a89b886289efcbfc527c762114a4d85f7cbbef7eac3d375