Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/08/2024, 11:42 UTC

General

  • Target

    Public Holiday_Notice 2024.exe

  • Size

    1.4MB

  • MD5

    6a059d39861fe040d2ec45e74daacf34

  • SHA1

    3023e95579019dffc86596db8e5fc27b2f574b65

  • SHA256

    92be4e60ffc8bcce4d34243d1c5ec0f70c8059504d6466248ceeb8d0dde01afa

  • SHA512

    654b1554789984c3fe0453a0afa7a8f078d78def8d9786b34d9f340452e37b6d880ac70fce3953a8744dce79a16bd6a0a4052b43aefc4727a46037e1885d6bf7

  • SSDEEP

    24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8a74RgPQ9QjPAZZJXjIc:sTvC/MTQYxsWR7a74RgPQ9QjeZJ

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.169.175.190:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LBZ2BK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Detected Nirsoft tools 7 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Public Holiday_Notice 2024.exe
    "C:\Users\Admin\AppData\Local\Temp\Public Holiday_Notice 2024.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Public Holiday_Notice 2024.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\xuimnx"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3972
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\hovwopvxr"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:3784
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\rqappigrfasw"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4704

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0568292AD0AC68F61F253DC1D18B69DF; domain=.bing.com; expires=Wed, 24-Sep-2025 11:42:44 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 139070CC08CC46E88E3277F0E34618EF Ref B: LON04EDGE0713 Ref C: 2024-08-30T11:42:44Z
    date: Fri, 30 Aug 2024 11:42:43 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0568292AD0AC68F61F253DC1D18B69DF
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=Tx86UFkR_VDX_QF3isJw73Vw8mO_6akY69c1H-tK1Cg; domain=.bing.com; expires=Wed, 24-Sep-2025 11:42:44 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 588C35C0594B4B2A99D84782BAD03324 Ref B: LON04EDGE0713 Ref C: 2024-08-30T11:42:44Z
    date: Fri, 30 Aug 2024 11:42:44 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0568292AD0AC68F61F253DC1D18B69DF; MSPTC=Tx86UFkR_VDX_QF3isJw73Vw8mO_6akY69c1H-tK1Cg
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E990892292B34A95AFEC285ED112FFE6 Ref B: LON04EDGE0713 Ref C: 2024-08-30T11:42:44Z
    date: Fri, 30 Aug 2024 11:42:44 GMT
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    190.175.169.194.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    190.175.169.194.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301195_10TKS815IX0MOD3NX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301195_10TKS815IX0MOD3NX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 561868
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8A6B3D05DE6E4E12A88302A2DC59A838 Ref B: LON04EDGE1213 Ref C: 2024-08-30T11:44:21Z
    date: Fri, 30 Aug 2024 11:44:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418564_10W6V5F7I280O8R44&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418564_10W6V5F7I280O8R44&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 335594
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 75B5F924CB0A4EE4B87087D8095C57E5 Ref B: LON04EDGE1213 Ref C: 2024-08-30T11:44:21Z
    date: Fri, 30 Aug 2024 11:44:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418563_16RSKIH5RQZW91ZBH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418563_16RSKIH5RQZW91ZBH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 427192
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6CD215D5387242B8981762A004DA47DD Ref B: LON04EDGE1213 Ref C: 2024-08-30T11:44:21Z
    date: Fri, 30 Aug 2024 11:44:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 324887
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0E27B6A494564DF6925F92FE6D96F13C Ref B: LON04EDGE1213 Ref C: 2024-08-30T11:44:21Z
    date: Fri, 30 Aug 2024 11:44:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 405350
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B1DB593175104481BA0694B261162BCE Ref B: LON04EDGE1213 Ref C: 2024-08-30T11:44:21Z
    date: Fri, 30 Aug 2024 11:44:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301604_1H6WK0590WT095LZX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301604_1H6WK0590WT095LZX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 317640
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BD52C09E1F194523B3FE47C65E11A67B Ref B: LON04EDGE1213 Ref C: 2024-08-30T11:44:21Z
    date: Fri, 30 Aug 2024 11:44:21 GMT
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=
    tls, http2
    2.0kB
    9.4kB
    21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e27b08f0929640f18b9dd43f699d14c8&localId=w:BB8B17D4-59B3-6ACA-B6DD-FE09489D2C70&deviceId=6896205358085503&anid=

    HTTP Response

    204
  • 194.169.175.190:2404
    tls
    svchost.exe
    2.6kB
    1.8kB
    16
    18
  • 194.169.175.190:2404
    tls
    svchost.exe
    34.7kB
    512.3kB
    214
    383
  • 194.169.175.190:2404
    tls
    svchost.exe
    976 B
    864 B
    7
    5
  • 52.111.236.23:443
    322 B
    7
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301604_1H6WK0590WT095LZX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    88.7kB
    2.5MB
    1817
    1809

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301195_10TKS815IX0MOD3NX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418564_10W6V5F7I280O8R44&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418563_16RSKIH5RQZW91ZBH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301604_1H6WK0590WT095LZX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    7.3kB
    16
    13
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    190.175.169.194.in-addr.arpa
    dns
    74 B
    134 B
    1
    1

    DNS Request

    190.175.169.194.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    142 B
    145 B
    2
    1

    DNS Request

    206.23.85.13.in-addr.arpa

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    10.28.171.150.in-addr.arpa

    DNS Request

    10.28.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xuimnx

    Filesize

    4KB

    MD5

    a7e181f6aa185be0ab0ca68b30406fe6

    SHA1

    58c86162658dc609615b8b6400f85c92506dfdc8

    SHA256

    c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2

    SHA512

    49969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f

  • memory/1032-10-0x0000000003880000-0x0000000003884000-memory.dmp

    Filesize

    16KB

  • memory/1332-50-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-57-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-14-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-15-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-16-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-17-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-18-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-19-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-21-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-61-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-60-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-59-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-58-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-49-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1332-56-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-55-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-54-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-53-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-13-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-52-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-45-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1332-51-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-11-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/1332-48-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1332-12-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/3784-23-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/3784-27-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/3784-34-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/3784-38-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/3784-33-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/3972-28-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3972-43-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3972-22-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3972-36-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3972-32-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4704-37-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4704-31-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4704-26-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4704-35-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4704-30-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.