Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:03

General

  • Target

    8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe

  • Size

    628KB

  • MD5

    128b755cd25a91c7322dd65c70ff4f7a

  • SHA1

    c61f3449981c9389672005c0976b26a2f5288950

  • SHA256

    8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5

  • SHA512

    06573cef4530821eb96c797802a3920c98781aeb7b75fc3812c9b4b11cf49e04706580be12a1a6f7b856725e1371c5d178699cc25e22cd4105cd8ef7a4eef441

  • SSDEEP

    12288:xMr+y90wTyutwnA6Swsg7w2OwEpzU+5kbesfe6g4mEk0A80:zyRP/HgB0pzU+eyLx4Zk070

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe
    "C:\Users\Admin\AppData\Local\Temp\8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6712598.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6712598.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5675384.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5675384.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 584
          4⤵
          • Program crash
          PID:3320
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1166075.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1166075.exe
        3⤵
        • Executes dropped EXE
        PID:3892
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2636 -ip 2636
    1⤵
      PID:1136

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      183.142.211.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.142.211.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=2AC1EFFB446E626537FEFB734549630A; domain=.bing.com; expires=Tue, 17-Jun-2025 19:04:36 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 60C4F655FE6A4B96A73E89F24FFAAAB0 Ref B: LON04EDGE0720 Ref C: 2024-05-23T19:04:36Z
      date: Thu, 23 May 2024 19:04:35 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2AC1EFFB446E626537FEFB734549630A; _EDGE_S=SID=3A08A52D9B6E629A2C57B1A59A026302
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=UONgWZJnl7hmsdcCdb4w18r_1gkhIpYEoZgPS28VuGU; domain=.bing.com; expires=Tue, 17-Jun-2025 19:04:36 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0E78EB52E5C94F7AB07A4D3B082CD7ED Ref B: LON04EDGE0720 Ref C: 2024-05-23T19:04:36Z
      date: Thu, 23 May 2024 19:04:36 GMT
    • flag-us
      DNS
      203.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.107.17.2.in-addr.arpa
      IN PTR
      Response
      203.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
    • flag-be
      GET
      https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
      Remote address:
      2.17.107.106:443
      Request
      GET /aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
      host: www.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2AC1EFFB446E626537FEFB734549630A
      Response
      HTTP/2.0 200
      cache-control: private,no-store
      pragma: no-cache
      vary: Origin
      p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 61C54F47818D41A1ADA526C69A34F111 Ref B: BRU30EDGE0514 Ref C: 2024-05-23T19:04:36Z
      content-length: 0
      date: Thu, 23 May 2024 19:04:36 GMT
      set-cookie: _EDGE_S=SID=3A08A52D9B6E629A2C57B1A59A026302; path=/; httponly; domain=bing.com
      set-cookie: MUIDB=2AC1EFFB446E626537FEFB734549630A; path=/; httponly; expires=Tue, 17-Jun-2025 19:04:36 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.666b1102.1716491076.271421e
    • flag-us
      DNS
      106.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      106.107.17.2.in-addr.arpa
      IN PTR
      Response
      106.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-106deploystaticakamaitechnologiescom
    • flag-be
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      2.17.107.106:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      cookie: MUID=2AC1EFFB446E626537FEFB734549630A; _EDGE_S=SID=3A08A52D9B6E629A2C57B1A59A026302; MSPTC=UONgWZJnl7hmsdcCdb4w18r_1gkhIpYEoZgPS28VuGU; MUIDB=2AC1EFFB446E626537FEFB734549630A
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Thu, 23 May 2024 19:04:38 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.666b1102.1716491078.2714766
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 430689
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C9C92CFF62BD48FD8A60FA8D6B1AA1B7 Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
      date: Thu, 23 May 2024 19:06:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 415458
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0A3BBCC909E646A5B839F80CF924944D Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
      date: Thu, 23 May 2024 19:06:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 627437
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1FA8571EE29D40D4A0FC3D01208CBF19 Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
      date: Thu, 23 May 2024 19:06:08 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 792794
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 58BEF610854E4CE8B80780A8E0076EB4 Ref B: LON04EDGE1111 Ref C: 2024-05-23T19:06:09Z
      date: Thu, 23 May 2024 19:06:08 GMT
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      92.16.208.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.16.208.104.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55
      tls, http2
      2.5kB
      9.0kB
      20
      17

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132015Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Ty8Ttyl5LFkgMPMfpS_W_TVUCUzHC5rLnv53V1VDQ40vIblUduVRliMfrPoCVPdtzmTaN5Wbq6Q8mGo7jk9Z-BHKOF7PK83H3zL-SLaVlOYR_bIGYUUdVvcNE70K_5wHXsc63665q5gHzCfg0v74Q0TDcEjhhJClQ4Upb4FY_QARbme_%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D779d411f86f41742c93d27342f1b6c0b&TIME=20240426T132016Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

      HTTP Response

      204
    • 77.91.124.82:19071
      h1166075.exe
      260 B
      5
    • 2.17.107.106:443
      https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189
      tls, http2
      1.4kB
      5.3kB
      16
      10

      HTTP Request

      GET https://www.bing.com/aes/c.gif?RG=4c4dd51a913845ecb3168949d2670440&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132015Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

      HTTP Response

      200
    • 2.17.107.106:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      2.3kB
      6.3kB
      18
      11

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 77.91.124.82:19071
      h1166075.exe
      260 B
      5
    • 77.91.124.82:19071
      h1166075.exe
      260 B
      5
    • 77.91.124.82:19071
      h1166075.exe
      260 B
      5
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      16
      14
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      tls, http2
      84.7kB
      2.4MB
      1701
      1696

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.1kB
      16
      14
    • 77.91.124.82:19071
      h1166075.exe
      260 B
      5
    • 77.91.124.82:19071
      h1166075.exe
      260 B
      5
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      183.142.211.20.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      183.142.211.20.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      203.107.17.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      203.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      146 B
      143 B
      2
      1

      DNS Request

      237.197.79.204.in-addr.arpa

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      106.107.17.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      106.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      173 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
      106 B
      1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      92.16.208.104.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      92.16.208.104.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6712598.exe

      Filesize

      443KB

      MD5

      14af3187195ca11ff6f1455ed1a03b96

      SHA1

      76e62d3dbd6f2daaa690602d5ab0cc5d0b60c8fc

      SHA256

      796ad9df894fba0df29f9dc90f4d1741dc436eba68503d9cd8dcff5ebac65026

      SHA512

      fa63a527359daf4dde455aba264fe6059b7ea96e5735e923f43e1822eacf13e6d1cd669261fe5cf9e750bcd2c8b9b33205cf5f049d59342df10dbfb4577cd70a

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5675384.exe

      Filesize

      861KB

      MD5

      624be5e5545abc5ebee0d55b266b9310

      SHA1

      1a2924902fc7d05a3e343ab6b3abfb07fcd54266

      SHA256

      1552ecbd24ac9ee229416c679673cae800c48490e241721f91b538355702d3e7

      SHA512

      f78db8733e1c5ed94dd384d091244bf781e8e1c1c27182705d0537fc2049b13e643b5a5de13ef207430c5cc74c8350447b040ccfda25e14c789e4c58366bf589

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1166075.exe

      Filesize

      174KB

      MD5

      c6e8730d9d8f1a8e339ac201594a15f3

      SHA1

      f27ff1a5a9a7cb1e1374f21b0297054df9c17e36

      SHA256

      0dc67f2e648d4d96be4dccd6b9d8b0dda074c8b04f6d95c9a2827a157d0b6519

      SHA512

      a9a69e1b1162ae7ac25e62bb45c856eeae7b8532307903669d8a428abd5c548ffba921a4a3c5e24092f236340edd0385a846380f188cc5d38d08aa9baebe433d

    • memory/3424-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/3424-15-0x00000000740AE000-0x00000000740AF000-memory.dmp

      Filesize

      4KB

    • memory/3892-19-0x0000000000860000-0x0000000000890000-memory.dmp

      Filesize

      192KB

    • memory/3892-20-0x00000000011D0000-0x00000000011D6000-memory.dmp

      Filesize

      24KB

    • memory/3892-21-0x00000000057D0000-0x0000000005DE8000-memory.dmp

      Filesize

      6.1MB

    • memory/3892-22-0x00000000052C0000-0x00000000053CA000-memory.dmp

      Filesize

      1.0MB

    • memory/3892-23-0x00000000051F0000-0x0000000005202000-memory.dmp

      Filesize

      72KB

    • memory/3892-24-0x0000000005250000-0x000000000528C000-memory.dmp

      Filesize

      240KB

    • memory/3892-25-0x00000000053D0000-0x000000000541C000-memory.dmp

      Filesize

      304KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.