Overview
overview
10Static
static
30bd57c625c...1b.exe
windows10-2004-x64
100e85c02906...31.exe
windows10-2004-x64
101ad22f7c20...da.exe
windows10-2004-x64
102f0934382a...84.exe
windows7-x64
102f0934382a...84.exe
windows10-2004-x64
10421c712a06...0d.exe
windows10-2004-x64
104958361c2a...c0.exe
windows10-2004-x64
104ee34ec273...69.exe
windows10-2004-x64
1054ae781e47...0d.exe
windows10-2004-x64
10597fd86cf2...51.exe
windows10-2004-x64
105af8e5b632...c7.exe
windows10-2004-x64
105edd2b7f66...17.exe
windows10-2004-x64
105eee268a87...c9.exe
windows10-2004-x64
1065a4c04d9e...25.exe
windows10-2004-x64
106d2e6d5049...21.exe
windows10-2004-x64
1077dcf40927...b4.exe
windows10-2004-x64
108c279e4e62...12.exe
windows10-2004-x64
108ee3fa55ce...d5.exe
windows10-2004-x64
108efb2f072c...7a.exe
windows10-2004-x64
10a717651d7f...a0.exe
windows10-2004-x64
10cecc5213e2...a1.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 19:03
Static task
static1
Behavioral task
behavioral1
Sample
0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2f0934382aee1d9b657ffa98a2699fe864ed0a5bf8e1fc03bdcd479244e27b84.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
2f0934382aee1d9b657ffa98a2699fe864ed0a5bf8e1fc03bdcd479244e27b84.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
421c712a06e641733de7dc086abdc66469eef71d8cf926aa756f0f6910cd6a0d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
54ae781e479d4e60bdd8734270b33ab0db93c1543e6f477a3dcc2c93b42f7e0d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
597fd86cf22402c976ac13f554867cf010ab3d5c9bdcf8d817c66e620dce4751.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
6d2e6d5049e4da686813824edc4aa0a843fff13079a0a9399739fe64efcfd021.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
cecc5213e25a8a2dfe40b0f517d513ce319f2cdf28bcc26df3130a53a46d79a1.exe
Resource
win10v2004-20240508-en
General
-
Target
8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe
-
Size
628KB
-
MD5
128b755cd25a91c7322dd65c70ff4f7a
-
SHA1
c61f3449981c9389672005c0976b26a2f5288950
-
SHA256
8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5
-
SHA512
06573cef4530821eb96c797802a3920c98781aeb7b75fc3812c9b4b11cf49e04706580be12a1a6f7b856725e1371c5d178699cc25e22cd4105cd8ef7a4eef441
-
SSDEEP
12288:xMr+y90wTyutwnA6Swsg7w2OwEpzU+5kbesfe6g4mEk0A80:zyRP/HgB0pzU+eyLx4Zk070
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral18/memory/3424-14-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral18/files/0x0007000000023430-17.dat family_redline behavioral18/memory/3892-19-0x0000000000860000-0x0000000000890000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 1560 x6712598.exe 2636 g5675384.exe 3892 h1166075.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6712598.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2636 set thread context of 3424 2636 g5675384.exe 88 -
Program crash 1 IoCs
pid pid_target Process procid_target 3320 2636 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3424 AppLaunch.exe 3424 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3424 AppLaunch.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3964 wrote to memory of 1560 3964 8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe 84 PID 3964 wrote to memory of 1560 3964 8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe 84 PID 3964 wrote to memory of 1560 3964 8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe 84 PID 1560 wrote to memory of 2636 1560 x6712598.exe 85 PID 1560 wrote to memory of 2636 1560 x6712598.exe 85 PID 1560 wrote to memory of 2636 1560 x6712598.exe 85 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 2636 wrote to memory of 3424 2636 g5675384.exe 88 PID 1560 wrote to memory of 3892 1560 x6712598.exe 93 PID 1560 wrote to memory of 3892 1560 x6712598.exe 93 PID 1560 wrote to memory of 3892 1560 x6712598.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe"C:\Users\Admin\AppData\Local\Temp\8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6712598.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6712598.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5675384.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5675384.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 5844⤵
- Program crash
PID:3320
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1166075.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1166075.exe3⤵
- Executes dropped EXE
PID:3892
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2636 -ip 26361⤵PID:1136
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request183.142.211.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2AC1EFFB446E626537FEFB734549630A; domain=.bing.com; expires=Tue, 17-Jun-2025 19:04:36 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 60C4F655FE6A4B96A73E89F24FFAAAB0 Ref B: LON04EDGE0720 Ref C: 2024-05-23T19:04:36Z
date: Thu, 23 May 2024 19:04:35 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55Remote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2AC1EFFB446E626537FEFB734549630A; _EDGE_S=SID=3A08A52D9B6E629A2C57B1A59A026302
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=UONgWZJnl7hmsdcCdb4w18r_1gkhIpYEoZgPS28VuGU; domain=.bing.com; expires=Tue, 17-Jun-2025 19:04:36 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0E78EB52E5C94F7AB07A4D3B082CD7ED Ref B: LON04EDGE0720 Ref C: 2024-05-23T19:04:36Z
date: Thu, 23 May 2024 19:04:36 GMT
-
Remote address:8.8.8.8:53Request203.107.17.2.in-addr.arpaIN PTRResponse203.107.17.2.in-addr.arpaIN PTRa2-17-107-203deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTR
-
GEThttps://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189Remote address:2.17.107.106:443RequestGET /aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2AC1EFFB446E626537FEFB734549630A
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 61C54F47818D41A1ADA526C69A34F111 Ref B: BRU30EDGE0514 Ref C: 2024-05-23T19:04:36Z
content-length: 0
date: Thu, 23 May 2024 19:04:36 GMT
set-cookie: _EDGE_S=SID=3A08A52D9B6E629A2C57B1A59A026302; path=/; httponly; domain=bing.com
set-cookie: MUIDB=2AC1EFFB446E626537FEFB734549630A; path=/; httponly; expires=Tue, 17-Jun-2025 19:04:36 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.666b1102.1716491076.271421e
-
Remote address:8.8.8.8:53Request106.107.17.2.in-addr.arpaIN PTRResponse106.107.17.2.in-addr.arpaIN PTRa2-17-107-106deploystaticakamaitechnologiescom
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:2.17.107.106:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=2AC1EFFB446E626537FEFB734549630A; _EDGE_S=SID=3A08A52D9B6E629A2C57B1A59A026302; MSPTC=UONgWZJnl7hmsdcCdb4w18r_1gkhIpYEoZgPS28VuGU; MUIDB=2AC1EFFB446E626537FEFB734549630A
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 23 May 2024 19:04:38 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.666b1102.1716491078.2714766
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C9C92CFF62BD48FD8A60FA8D6B1AA1B7 Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
date: Thu, 23 May 2024 19:06:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0A3BBCC909E646A5B839F80CF924944D Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
date: Thu, 23 May 2024 19:06:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1FA8571EE29D40D4A0FC3D01208CBF19 Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
date: Thu, 23 May 2024 19:06:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 58BEF610854E4CE8B80780A8E0076EB4 Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
date: Thu, 23 May 2024 19:06:08 GMT
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request31.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.16.208.104.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55tls, http22.5kB 9.0kB 20 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55HTTP Response
204 -
260 B 5
-
2.17.107.106:443https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189tls, http21.4kB 5.3kB 16 10
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189HTTP Response
200 -
2.17.107.106:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http22.3kB 6.3kB 18 11
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
260 B 5
-
260 B 5
-
260 B 5
-
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http284.7kB 2.4MB 1701 1696
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
260 B 5
-
260 B 5
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
183.142.211.20.in-addr.arpa
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
71 B 135 B 1 1
DNS Request
203.107.17.2.in-addr.arpa
-
146 B 143 B 2 1
DNS Request
237.197.79.204.in-addr.arpa
DNS Request
237.197.79.204.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
106.107.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
31.243.111.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
92.16.208.104.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443KB
MD514af3187195ca11ff6f1455ed1a03b96
SHA176e62d3dbd6f2daaa690602d5ab0cc5d0b60c8fc
SHA256796ad9df894fba0df29f9dc90f4d1741dc436eba68503d9cd8dcff5ebac65026
SHA512fa63a527359daf4dde455aba264fe6059b7ea96e5735e923f43e1822eacf13e6d1cd669261fe5cf9e750bcd2c8b9b33205cf5f049d59342df10dbfb4577cd70a
-
Filesize
861KB
MD5624be5e5545abc5ebee0d55b266b9310
SHA11a2924902fc7d05a3e343ab6b3abfb07fcd54266
SHA2561552ecbd24ac9ee229416c679673cae800c48490e241721f91b538355702d3e7
SHA512f78db8733e1c5ed94dd384d091244bf781e8e1c1c27182705d0537fc2049b13e643b5a5de13ef207430c5cc74c8350447b040ccfda25e14c789e4c58366bf589
-
Filesize
174KB
MD5c6e8730d9d8f1a8e339ac201594a15f3
SHA1f27ff1a5a9a7cb1e1374f21b0297054df9c17e36
SHA2560dc67f2e648d4d96be4dccd6b9d8b0dda074c8b04f6d95c9a2827a157d0b6519
SHA512a9a69e1b1162ae7ac25e62bb45c856eeae7b8532307903669d8a428abd5c548ffba921a4a3c5e24092f236340edd0385a846380f188cc5d38d08aa9baebe433d