Overview

overview

7

Static

static

3

f11c7bce06...0N.exe

windows7-x64

7

f11c7bce06...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 19:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f11c7bce06ba3ffcb49c370e81607da0N.exe

  • Size

    538KB

  • MD5

    f11c7bce06ba3ffcb49c370e81607da0

  • SHA1

    43c21f0230ed183d9da37d68411dff6002bc8907

  • SHA256

    86e32debc724ab505081f11fd3fc8088cdf26654411053deb76a4aec3d7e665a

  • SHA512

    e59b0ba543ca9fa6b457f578481072745a4571f2cd3f351226ecaa513b6260e189cc5af9811d6f0c7373e3c9902b3ef632d8b6c9cae18663932697f4ec20f453

  • SSDEEP

    12288:/n8yN0Mr8ZJJw1jm0Uq+pnWHDiZPWho5hWcrIm+xM/EWGKWYuaP:vPuZJK1Kbgq+h2rdjWYb

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:708
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
        "C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Users\Public\Microsoft Build\Isass.exe
          "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:244
          • C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
            "C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1368
            • C:\Users\Public\Microsoft Build\Isass.exe
              "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2224
              • C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
                "C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3228

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=12EBD4364ACC6A3110E4C0D44B2C6B90; domain=.bing.com; expires=Mon, 15-Sep-2025 19:56:09 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7E541F2D4156437DBA2B98536DFD751A Ref B: LON04EDGE1218 Ref C: 2024-08-21T19:56:09Z
    date: Wed, 21 Aug 2024 19:56:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=12EBD4364ACC6A3110E4C0D44B2C6B90
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=hC7Mw5QbS8E4BEU7OipqRS4kYgHWO9ID9G1P68ReQqk; domain=.bing.com; expires=Mon, 15-Sep-2025 19:56:09 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2CCFDBF5D6C7413B95171156E4114410 Ref B: LON04EDGE1218 Ref C: 2024-08-21T19:56:09Z
    date: Wed, 21 Aug 2024 19:56:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=12EBD4364ACC6A3110E4C0D44B2C6B90; MSPTC=hC7Mw5QbS8E4BEU7OipqRS4kYgHWO9ID9G1P68ReQqk
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9C68D80F0EFD43F8A0C083D686ECA68C Ref B: LON04EDGE1218 Ref C: 2024-08-21T19:56:09Z
    date: Wed, 21 Aug 2024 19:56:08 GMT
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.190.18.2.in-addr.arpa
    IN PTR
    Response
    71.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-71deploystaticakamaitechnologiescom
  • flag-us
    DNS
    100.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.56.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.211.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.211.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388126_1L4W1T5VFYTHU9QO3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388126_1L4W1T5VFYTHU9QO3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 540045
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1C62472C81AA48498D93A4D773E6594E Ref B: LON04EDGE1122 Ref C: 2024-08-21T19:57:48Z
    date: Wed, 21 Aug 2024 19:57:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 747785
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B332F34D0E61451EB1BF943E0F02A7F7 Ref B: LON04EDGE1122 Ref C: 2024-08-21T19:57:48Z
    date: Wed, 21 Aug 2024 19:57:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 753155
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6F53DED2500142D79DF42C0129DDD303 Ref B: LON04EDGE1122 Ref C: 2024-08-21T19:57:48Z
    date: Wed, 21 Aug 2024 19:57:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388125_1VMOONLDU1IFR4WEP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388125_1VMOONLDU1IFR4WEP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 875278
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D95B16041CB348D7A01D37A42E3F14D7 Ref B: LON04EDGE1122 Ref C: 2024-08-21T19:57:48Z
    date: Wed, 21 Aug 2024 19:57:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 695371
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 84ED6771601E4C06BCBA082211E2E2BF Ref B: LON04EDGE1122 Ref C: 2024-08-21T19:57:48Z
    date: Wed, 21 Aug 2024 19:57:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 512342
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2005B3176295471FB62D17D43CE2AA0B Ref B: LON04EDGE1122 Ref C: 2024-08-21T19:57:48Z
    date: Wed, 21 Aug 2024 19:57:47 GMT
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=46b80a5f05ae4d7386f0ccc74abe0891&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    144.5kB
     4.3MB
     3095
    3088

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388126_1L4W1T5VFYTHU9QO3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388125_1VMOONLDU1IFR4WEP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    71.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    71.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    100.56.20.217.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    100.56.20.217.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    20.211.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    20.211.201.84.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     170 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
    Filesize

    679KB

    MD5

    abe14d1bf5f0ebc716a7aade4efe24e9

    SHA1

    b930a32e3b0ef87e73dcf8f21457c2d201ad3100

    SHA256

    6f9e3b08ed77d07ccec21ff45b4cbc66a2bf6e41a2dbf5ba6d98486d0be6764e

    SHA512

    ae0e612e7349de7c818902f4811f7e5258a5d7dd8f324fe1209d6b18b829090d0e179fa3161fbcfe16a740e9919f51a7aaf712bf698d57af8fdbb136097383ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe
    Filesize

    284KB

    MD5

    a42b35f975d88c1370a7aff084ee57a7

    SHA1

    bee1408fe0b15f6f719f003e46aee5ec424cf608

    SHA256

    56cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776

    SHA512

    b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23

    Download Submit

  • C:\Users\Public\Microsoft Build\Isass.exe
    Filesize

    216KB

    MD5

    0609171772ed1682bd6adb41673f32b2

    SHA1

    75456deb7fe05cc2a5806623b6b216bc4fc47243

    SHA256

    de84bb36c0b33b5ddc3f6d54c8b087649b51e8cf8a80bace4fd92258d46443e3

    SHA512

    693c912a8253c62a446f072035f9775dfce0c45b0160710ee4bf8a0c296af0f9fcda24b22bc24050d837338b22371bc6eecd6f3e8ed7e0bde8b13b56e83ce778

    Download Submit

  • memory/244-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/244-18-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-57-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-47-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-67-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-66-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-58-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-7-0x00000000019F0000-0x00000000019F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/708-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-51-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-6-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-42-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-41-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-36-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-37-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/708-33-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/1368-20-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2212-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2224-31-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4428-1-0x0000000003D30000-0x0000000003D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4428-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4428-0-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/5080-10-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/5080-13-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.