Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:19

General

  • Target

    30deda44ad7603ee8332ec9d0d3b2ac00c128de86e5239a94e2bb6d712e0fea8.exe

  • Size

    879KB

  • MD5

    bb845a15dee0ce72c5ec078d787e575e

  • SHA1

    34dac2c18762806063ac9a6da35f8c01c3d2dbd2

  • SHA256

    30deda44ad7603ee8332ec9d0d3b2ac00c128de86e5239a94e2bb6d712e0fea8

  • SHA512

    1b5ea031e494e67d5dbb811c5c0eba5c2994088a7837058a3e3017adb72ffdb8b98d947900fd5abd3466e22304d08d7bb32d55e1c2284f35c188eedd0c4e2474

  • SSDEEP

    24576:RytpC1GzopxzgjCQIWyraHbJPKd6NIT3R5Pi+OJp:EtpC1GU2CQIhra1PKd6NIHXOJ

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30deda44ad7603ee8332ec9d0d3b2ac00c128de86e5239a94e2bb6d712e0fea8.exe
    "C:\Users\Admin\AppData\Local\Temp\30deda44ad7603ee8332ec9d0d3b2ac00c128de86e5239a94e2bb6d712e0fea8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xw8HQ2vM.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xw8HQ2vM.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lY9mL0gk.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lY9mL0gk.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1NO74PL7.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1NO74PL7.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4176
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:1148
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 152
              5⤵
              • Program crash
              PID:2216
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rh336DU.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rh336DU.exe
            4⤵
            • Executes dropped EXE
            PID:4988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4176 -ip 4176
      1⤵
        PID:4020

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=229F2252D47767812CAE36DAD55066ED; domain=.bing.com; expires=Tue, 17-Jun-2025 19:19:38 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: A0903841BA9946D0A06547999C426D0C Ref B: LON04EDGE0612 Ref C: 2024-05-23T19:19:38Z
        date: Thu, 23 May 2024 19:19:38 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=229F2252D47767812CAE36DAD55066ED; _EDGE_S=SID=2C8B0B373D3E61C911741FBF3C52602D
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=Gq--eSVWJlY7y4rC1JiqG5bGzZdFbwvYKb8WjV5b8oE; domain=.bing.com; expires=Tue, 17-Jun-2025 19:19:39 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: A0E9B44379FB4216B2C88A9F2015726C Ref B: LON04EDGE0612 Ref C: 2024-05-23T19:19:39Z
        date: Thu, 23 May 2024 19:19:39 GMT
      • flag-us
        DNS
        23.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-nl
        GET
        https://www.bing.com/aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
        Remote address:
        23.62.61.89:443
        Request
        GET /aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
        host: www.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=229F2252D47767812CAE36DAD55066ED
        Response
        HTTP/2.0 200
        cache-control: private,no-store
        pragma: no-cache
        vary: Origin
        p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 39360D06D6E9418B8C39C6E6C83A6E08 Ref B: BRU30EDGE0519 Ref C: 2024-05-23T19:19:39Z
        content-length: 0
        date: Thu, 23 May 2024 19:19:39 GMT
        set-cookie: _EDGE_S=SID=2C8B0B373D3E61C911741FBF3C52602D; path=/; httponly; domain=bing.com
        set-cookie: MUIDB=229F2252D47767812CAE36DAD55066ED; path=/; httponly; expires=Tue, 17-Jun-2025 19:19:39 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.553d3e17.1716491979.fe8edd2
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        89.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        89.61.62.23.in-addr.arpa
        IN PTR
        Response
        89.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-89deploystaticakamaitechnologiescom
      • flag-nl
        GET
        https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        Remote address:
        23.62.61.89:443
        Request
        GET /th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        cookie: MUID=229F2252D47767812CAE36DAD55066ED; _EDGE_S=SID=2C8B0B373D3E61C911741FBF3C52602D; MSPTC=Gq--eSVWJlY7y4rC1JiqG5bGzZdFbwvYKb8WjV5b8oE; MUIDB=229F2252D47767812CAE36DAD55066ED
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 999
        date: Thu, 23 May 2024 19:19:40 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.553d3e17.1716491980.fe8f22c
      • flag-us
        DNS
        138.201.86.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.201.86.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.31.95.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.31.95.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.35.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.35.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        25.24.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        25.24.18.2.in-addr.arpa
        IN PTR
        Response
        25.24.18.2.in-addr.arpa
        IN PTR
        a2-18-24-25deploystaticakamaitechnologiescom
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 638730
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: E171997CB0424EAC8F8AC7F7801E9FBF Ref B: LON04EDGE0910 Ref C: 2024-05-23T19:21:19Z
        date: Thu, 23 May 2024 19:21:19 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 415458
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 7DD1A30321A248068877698B1C92ABB9 Ref B: LON04EDGE0910 Ref C: 2024-05-23T19:21:19Z
        date: Thu, 23 May 2024 19:21:19 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 555746
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 711BBB82A09C414B96BEE3550141AA15 Ref B: LON04EDGE0910 Ref C: 2024-05-23T19:21:19Z
        date: Thu, 23 May 2024 19:21:19 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 430689
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: B59DF77820914D4E9AEF8F48DD2E60C2 Ref B: LON04EDGE0910 Ref C: 2024-05-23T19:21:19Z
        date: Thu, 23 May 2024 19:21:19 GMT
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
        tls, http2
        2.7kB
        9.0kB
        21
        17

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8NpgY0Pg35kO2LBAj-DiLPjVUCUyaPi8jKrz8aK8nG88T6A7Oz2mVQwWVMhvhSaQiYoDIKRaK8_yna0mXrQINmaxGpgpcC51Ur89hMO0rO3uFkuqhz-2ZP2Ao2qq9zhP34X8BDmVYBJnW33l9ntffEY3gxmCaw9RKwCCP9M3gHePWL5f9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D54c676587a4f1501ed321073d03a85b5&TIME=20240426T132257Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

        HTTP Response

        204
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 23.62.61.89:443
        https://www.bing.com/aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
        tls, http2
        1.4kB
        5.3kB
        16
        11

        HTTP Request

        GET https://www.bing.com/aes/c.gif?RG=f104fe95b8b6409b9e96596a797de630&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132257Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

        HTTP Response

        200
      • 23.62.61.89:443
        https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        tls, http2
        1.6kB
        6.2kB
        17
        12

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

        HTTP Response

        200
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        160 B
        5
        4
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
        8.1kB
        16
        14
      • 204.79.197.200:443
        https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        tls, http2
        73.3kB
        2.1MB
        1537
        1534

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
        8.1kB
        16
        14
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
        8.1kB
        16
        14
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        160 B
        5
        4
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        260 B
        200 B
        5
        5
      • 77.91.124.55:19071
        2rh336DU.exe
        52 B
        40 B
        1
        1
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        151 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        23.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        23.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
        143 B
        1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        89.61.62.23.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        89.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        138.201.86.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        138.201.86.20.in-addr.arpa

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        18.31.95.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        18.31.95.13.in-addr.arpa

      • 8.8.8.8:53
        26.35.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        26.35.223.20.in-addr.arpa

      • 8.8.8.8:53
        25.24.18.2.in-addr.arpa
        dns
        69 B
        131 B
        1
        1

        DNS Request

        25.24.18.2.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
        173 B
        1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        204.79.197.200
        13.107.21.200

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xw8HQ2vM.exe

        Filesize

        585KB

        MD5

        2ee5e4a00806d834c5f66cc530079529

        SHA1

        ef959a2656737768e0344ea30d6b2f0b4e1492f8

        SHA256

        9c6c3019f56bbeb336c6582f9eb50a13119c66d78466f98e3613e1f2e7395b7d

        SHA512

        7c9f4d1669e1a7538d54fa6ca60d47581676777dc58a75dd77ca4509088cbd33d930a4913bf2b4e4055f861181ce4eb0ab231e3729b00774b80b9c750ab20899

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lY9mL0gk.exe

        Filesize

        413KB

        MD5

        6c4864b47b3d321384bee56a44edfd85

        SHA1

        eadc96a9982040175ae6eaa87efa2f35b7b15a34

        SHA256

        84f029ee6ccd55e1daa08d834e7e7cbc6862d6bac59906a60911cb3876efe42a

        SHA512

        1ef3ea4225b2e9f781d1ec2ce6e7914ba996b757f464c57b52928e0c521eb8ae9b8995e748ff2e1749ab92752d8a1c1d813a78f8bcd7a850fe0b100a3194a595

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1NO74PL7.exe

        Filesize

        378KB

        MD5

        42f66f3976aa5c14fe644bbdb3ebf7f4

        SHA1

        f6d3a99d45c13559f8d478234d3bfb14c2278ab1

        SHA256

        ff2561f6df847478ce0a417b13853418ac63456bc61a1e4399ab8074fdd2062b

        SHA512

        e6624701d6c93ca6c8554bf5e478d00162318415293c34bcaef0715e5c285c7235fb49c9c9f6732e1909f908a1a0a1ca2cb2950b1fdb2f26b9919884fb2eec90

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rh336DU.exe

        Filesize

        221KB

        MD5

        0288648a07286c7f015a4532f9399a48

        SHA1

        0088bd95d23807b6ebd5cee00cd303ea1ad06ad1

        SHA256

        68388a86d9ee9d7cb5f16c84f5c8910774f55ed93ae07e80e4fe1080e6ddaee6

        SHA512

        6c1254faad1ffaacc7020a28b4a863d9560432af18b7e63a2aad08204f1595ab518a2502b0499b23cfce4e98f56a47d910e89171deb498986392deec39dad2fb

      • memory/1148-21-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/1148-22-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/1148-24-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/4988-29-0x0000000007930000-0x0000000007ED4000-memory.dmp

        Filesize

        5.6MB

      • memory/4988-28-0x0000000000470000-0x00000000004AE000-memory.dmp

        Filesize

        248KB

      • memory/4988-30-0x0000000007380000-0x0000000007412000-memory.dmp

        Filesize

        584KB

      • memory/4988-31-0x0000000002840000-0x000000000284A000-memory.dmp

        Filesize

        40KB

      • memory/4988-32-0x0000000008500000-0x0000000008B18000-memory.dmp

        Filesize

        6.1MB

      • memory/4988-33-0x00000000076F0000-0x00000000077FA000-memory.dmp

        Filesize

        1.0MB

      • memory/4988-34-0x0000000007470000-0x0000000007482000-memory.dmp

        Filesize

        72KB

      • memory/4988-35-0x00000000075E0000-0x000000000761C000-memory.dmp

        Filesize

        240KB

      • memory/4988-36-0x0000000007620000-0x000000000766C000-memory.dmp

        Filesize

        304KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.