trickbot | d0b9cef00b943a7861cf5bceaadff3ddadb7247e540361543b0279fe3c716e86

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 19:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe
Size

504KB
MD5

6c0a8a2b30b2e35564f83da09a143cf2
SHA1

4ce0c5b010bd56c5dcd2bfc76f98ab64bfb70e54
SHA256

d0b9cef00b943a7861cf5bceaadff3ddadb7247e540361543b0279fe3c716e86
SHA512

535f6a39275e5114a2c2b9c97e9614da5a8876f605b461fd5ea7454497bb12b9492f8137dbda431202094d0a3fe56330bf407edfc284cba14d2a16dd2f3e4e78
SSDEEP

6144:lif3ei2lpZqRzZclaOyugXi2w5O2dw0ddLWCYPvw5izPUaBHjw8QUllWy6berHDT:M/L3rcqEBRaCY3iQPUaNU8DnX6a

Score

10^/10

trickbot mor126 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000010

Botnet

mor126

195.123.239.59:443

85.143.219.36:443

94.250.254.84:443

94.250.255.217:443

212.80.219.98:443

91.210.171.82:443

45.8.230.108:443

194.156.98.172:443

195.2.93.227:443

62.108.35.179:443

91.200.101.192:443

194.5.249.31:443

195.123.241.157:443

104.161.32.10:443

88.150.197.186:443

62.108.35.204:443

45.155.173.196:443

51.89.177.18:443

194.5.249.107:443

195.123.241.182:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

1
RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc=

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	2244	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe
2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 632
  2⤵
  - Program crash
  PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2244 -ip 2244
1⤵
PID:3832

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8xSQ5U_QpfwOu8qexS2l5JDVUCUzxYhLm6JhgPp5iyHaP73eJvVgsOiF9nTuS1ZYdrLNfT2uJna8aST8ATpJvesBNcUyYDBj4UzMCBeqkuRizlHMQifmcms78nJw8hyfxTfeh1cu_ZC_o4sGA9SZ1OFP0tITknejcqoe0vDdTt8Z28hZL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da97f5b28ae711a2f3bd93d03079966c6&TIME=20240426T132008Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8xSQ5U_QpfwOu8qexS2l5JDVUCUzxYhLm6JhgPp5iyHaP73eJvVgsOiF9nTuS1ZYdrLNfT2uJna8aST8ATpJvesBNcUyYDBj4UzMCBeqkuRizlHMQifmcms78nJw8hyfxTfeh1cu_ZC_o4sGA9SZ1OFP0tITknejcqoe0vDdTt8Z28hZL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da97f5b28ae711a2f3bd93d03079966c6&TIME=20240426T132008Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1141689D5963684C38927C15584469C4; domain=.bing.com; expires=Tue, 17-Jun-2025 19:37:12 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6C3B9D43FDD8408CB72F7EA3FD68964E Ref B: LON04EDGE0606 Ref C: 2024-05-23T19:37:12Z
date: Thu, 23 May 2024 19:37:12 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8xSQ5U_QpfwOu8qexS2l5JDVUCUzxYhLm6JhgPp5iyHaP73eJvVgsOiF9nTuS1ZYdrLNfT2uJna8aST8ATpJvesBNcUyYDBj4UzMCBeqkuRizlHMQifmcms78nJw8hyfxTfeh1cu_ZC_o4sGA9SZ1OFP0tITknejcqoe0vDdTt8Z28hZL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da97f5b28ae711a2f3bd93d03079966c6&TIME=20240426T132008Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8xSQ5U_QpfwOu8qexS2l5JDVUCUzxYhLm6JhgPp5iyHaP73eJvVgsOiF9nTuS1ZYdrLNfT2uJna8aST8ATpJvesBNcUyYDBj4UzMCBeqkuRizlHMQifmcms78nJw8hyfxTfeh1cu_ZC_o4sGA9SZ1OFP0tITknejcqoe0vDdTt8Z28hZL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da97f5b28ae711a2f3bd93d03079966c6&TIME=20240426T132008Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1141689D5963684C38927C15584469C4; _EDGE_S=SID=12A76D9031166EC61985791830D66F7A

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=1cAnnAWhPHolDv1ByWVkTQcPSx9aRZDPmzgVZTE0n4A; domain=.bing.com; expires=Tue, 17-Jun-2025 19:37:12 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8E9E592B768A4E998F84086739C868C7 Ref B: LON04EDGE0606 Ref C: 2024-05-23T19:37:12Z
date: Thu, 23 May 2024 19:37:12 GMT
GET

https://www.bing.com/aes/c.gif?RG=af0fc95c77724f978010a3ebb5c01028&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132008Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

Remote address:

23.62.61.146:443

Request

GET /aes/c.gif?RG=af0fc95c77724f978010a3ebb5c01028&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132008Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1141689D5963684C38927C15584469C4

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 78953E597A9C4BDEA7CA6B1D0A8A498E Ref B: DUS30EDGE0317 Ref C: 2024-05-23T19:37:12Z
content-length: 0
date: Thu, 23 May 2024 19:37:12 GMT
set-cookie: _EDGE_S=SID=12A76D9031166EC61985791830D66F7A; path=/; httponly; domain=bing.com
set-cookie: MUIDB=1141689D5963684C38927C15584469C4; path=/; httponly; expires=Tue, 17-Jun-2025 19:37:12 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.8e3d3e17.1716493032.2569e8a
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

146.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.61.62.23.in-addr.arpa

IN PTR

Response

146.61.62.23.in-addr.arpa

IN PTR

a23-62-61-146deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.146:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=1141689D5963684C38927C15584469C4; _EDGE_S=SID=12A76D9031166EC61985791830D66F7A; MSPTC=1cAnnAWhPHolDv1ByWVkTQcPSx9aRZDPmzgVZTE0n4A; MUIDB=1141689D5963684C38927C15584469C4
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 23 May 2024 19:37:14 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.8e3d3e17.1716493034.256a5eb
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
GET

https://94.250.254.84/mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/

wermgr.exe

Remote address:

94.250.254.84:443

Request

GET /mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.71.1
Host: 94.250.254.84

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 May 2024 19:38:12 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
DNS

84.254.250.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.254.250.94.in-addr.arpa

IN PTR

Response

84.254.250.94.in-addr.arpa

IN PTR

a96902210542fvdsru
DNS

242.137.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

242.137.73.23.in-addr.arpa

IN PTR

Response

242.137.73.23.in-addr.arpa

IN PTR

a23-73-137-242deploystaticakamaitechnologiescom
GET

https://91.210.171.82/mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/

wermgr.exe

Remote address:

91.210.171.82:443

Request

GET /mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/ HTTP/1.1
Connection: Keep-Alive
User-Agent: curl/7.71.1
Host: 91.210.171.82

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 May 2024 19:38:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

82.171.210.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.171.210.91.in-addr.arpa

IN PTR

Response

82.171.210.91.in-addr.arpa

IN PTR

1316098-ca48796tw1ru
DNS

249.138.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.138.73.23.in-addr.arpa

IN PTR

Response

249.138.73.23.in-addr.arpa

IN PTR

a23-73-138-249deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F1B22AE8612B41B0B3C3ABEEB657F6EF Ref B: LON04EDGE1211 Ref C: 2024-05-23T19:38:53Z
date: Thu, 23 May 2024 19:38:53 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C2509DECF58B409AB929F1927FA6A3F7 Ref B: LON04EDGE1211 Ref C: 2024-05-23T19:38:53Z
date: Thu, 23 May 2024 19:38:53 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5EACFC4AD79D456D9045FF36D51A3623 Ref B: LON04EDGE1211 Ref C: 2024-05-23T19:38:53Z
date: Thu, 23 May 2024 19:38:53 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B91C7EBF287D4719A73FDA4355E97F90 Ref B: LON04EDGE1211 Ref C: 2024-05-23T19:38:53Z
date: Thu, 23 May 2024 19:38:53 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

227.93.2.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.93.2.195.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8xSQ5U_QpfwOu8qexS2l5JDVUCUzxYhLm6JhgPp5iyHaP73eJvVgsOiF9nTuS1ZYdrLNfT2uJna8aST8ATpJvesBNcUyYDBj4UzMCBeqkuRizlHMQifmcms78nJw8hyfxTfeh1cu_ZC_o4sGA9SZ1OFP0tITknejcqoe0vDdTt8Z28hZL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da97f5b28ae711a2f3bd93d03079966c6&TIME=20240426T132008Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8xSQ5U_QpfwOu8qexS2l5JDVUCUzxYhLm6JhgPp5iyHaP73eJvVgsOiF9nTuS1ZYdrLNfT2uJna8aST8ATpJvesBNcUyYDBj4UzMCBeqkuRizlHMQifmcms78nJw8hyfxTfeh1cu_ZC_o4sGA9SZ1OFP0tITknejcqoe0vDdTt8Z28hZL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da97f5b28ae711a2f3bd93d03079966c6&TIME=20240426T132008Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8xSQ5U_QpfwOu8qexS2l5JDVUCUzxYhLm6JhgPp5iyHaP73eJvVgsOiF9nTuS1ZYdrLNfT2uJna8aST8ATpJvesBNcUyYDBj4UzMCBeqkuRizlHMQifmcms78nJw8hyfxTfeh1cu_ZC_o4sGA9SZ1OFP0tITknejcqoe0vDdTt8Z28hZL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da97f5b28ae711a2f3bd93d03079966c6&TIME=20240426T132008Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204
23.62.61.146:443

https://www.bing.com/aes/c.gif?RG=af0fc95c77724f978010a3ebb5c01028&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132008Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=af0fc95c77724f978010a3ebb5c01028&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T132008Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

HTTP Response

200
23.62.61.146:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.7kB
6.4kB
18
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
85.143.219.36:443

wermgr.exe

260 B
200 B
5
5
94.250.254.84:443

https://94.250.254.84/mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/

tls, http

wermgr.exe

789 B
4.1kB
8
7

HTTP Request

GET https://94.250.254.84/mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/

HTTP Response

404
45.8.230.108:443

wermgr.exe

260 B
200 B
5
5
91.210.171.82:443

https://91.210.171.82/mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/

tls, http

wermgr.exe

789 B
5.8kB
8
10

HTTP Request

GET https://91.210.171.82/mor126/FZBXDXUA_W10019041.38095D20E7768E1D924BB48895CACFF7/5/kps/

HTTP Response

404
194.5.249.107:443

wermgr.exe

260 B
5
51.89.177.18:443

wermgr.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

97.7kB
2.8MB
2034
2029

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
62.108.35.179:443

wermgr.exe

260 B
5
195.2.93.227:443

tls

wermgr.exe

388 B
219 B
5
5
195.2.93.227:443

tls

wermgr.exe

334 B
219 B
5
5
195.2.93.227:443

wermgr.exe

190 B
92 B
4
2

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

146.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

146.61.62.23.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

84.254.250.94.in-addr.arpa

dns

72 B
106 B
1
1

DNS Request

84.254.250.94.in-addr.arpa
8.8.8.8:53

242.137.73.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

242.137.73.23.in-addr.arpa
8.8.8.8:53

82.171.210.91.in-addr.arpa

dns

72 B
108 B
1
1

DNS Request

82.171.210.91.in-addr.arpa
8.8.8.8:53

249.138.73.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

249.138.73.23.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

227.93.2.195.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

227.93.2.195.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-66-0x000001A0BCC50000-0x000001A0BCC51000-memory.dmp

Filesize
4KB

Download
memory/748-68-0x000001A0BC9B0000-0x000001A0BC9D7000-memory.dmp

Filesize
156KB

Download
memory/748-67-0x000001A0BC9B0000-0x000001A0BC9D7000-memory.dmp

Filesize
156KB

Download
memory/2244-10-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-5-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-11-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-9-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-8-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-3-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-7-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-12-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-4-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-15-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-16-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2244-17-0x00000000029D0000-0x0000000002A09000-memory.dmp

Filesize
228KB

Download
memory/2244-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2244-13-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-14-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-6-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.