Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:44

General

  • Target

    d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe

  • Size

    966KB

  • MD5

    0289899e89cf8021db0ffd8da84834c3

  • SHA1

    e3251990e71e80a8b1f1ecc04ca2a1e75659689a

  • SHA256

    d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0

  • SHA512

    ea5dba3cf3926559ba567134396f4e1ca0f34363f59bd1b780aad1d355c4703ba94b257cb23055608547114df822b6c0e1465a95cbce714e576e7dfd5b4adb50

  • SSDEEP

    24576:dyAyWtiFqmZSuSHMSBr9xcStfEeJ5U6k1Gp:4AJiFXY1BYSt8eJ5R

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 20 IoCs
  • Redline family
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe
    "C:\Users\Admin\AppData\Local\Temp\d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un691352.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un691352.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un064279.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un064279.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr034223.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr034223.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:372
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1080
            5⤵
            • Program crash
            PID:972
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404210.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404210.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 372 -ip 372
    1⤵
      PID:1516

    Network

    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=07EDEB318D25602C1235FE1C8C14619C; domain=.bing.com; expires=Sat, 29-Nov-2025 13:44:13 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 016573081CCB469C9C3D01915ED5BE28 Ref B: LON601060101011 Ref C: 2024-11-04T13:44:13Z
      date: Mon, 04 Nov 2024 13:44:12 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=07EDEB318D25602C1235FE1C8C14619C
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=8sYcuqi7eN5zXDDkqAbcflP2zBhRAuPciLFoiyxq_Zs; domain=.bing.com; expires=Sat, 29-Nov-2025 13:44:13 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B53EA0FBACEA48BC9B51FFA3D08EC3EC Ref B: LON601060101011 Ref C: 2024-11-04T13:44:13Z
      date: Mon, 04 Nov 2024 13:44:12 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=07EDEB318D25602C1235FE1C8C14619C; MSPTC=8sYcuqi7eN5zXDDkqAbcflP2zBhRAuPciLFoiyxq_Zs
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 58E27FE79FA344AF82FF4D4182FE270A Ref B: LON601060101011 Ref C: 2024-11-04T13:44:13Z
      date: Mon, 04 Nov 2024 13:44:12 GMT
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.163.202.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.163.202.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      92.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.12.20.2.in-addr.arpa
      IN PTR
      Response
      92.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-92deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 443303
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 82D4CE1B43994426BA749BBF1C9E4304 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
      date: Mon, 04 Nov 2024 13:45:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 786549
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 31FFC481E42A40F992EA838D5BF3370F Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
      date: Mon, 04 Nov 2024 13:45:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388264_1YUAPSJ7CT2934NCP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388264_1YUAPSJ7CT2934NCP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 771044
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 691F2C4FA676442D99DA03ABF67C2479 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
      date: Mon, 04 Nov 2024 13:45:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388265_1Y6BSXJHTYRP4XCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388265_1Y6BSXJHTYRP4XCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 569199
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: FC3C8FE22BF345D7979AABE02A6EFDB1 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
      date: Mon, 04 Nov 2024 13:45:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 1093976
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B43DB6AD45E248818494B5E144CE33F3 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
      date: Mon, 04 Nov 2024 13:45:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 497299
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 7A91EF5C94F54E95B965BA3CFD23FD30 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
      date: Mon, 04 Nov 2024 13:45:47 GMT
    • flag-us
      DNS
      10.27.171.150.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.27.171.150.in-addr.arpa
      IN PTR
      Response
    • 150.171.28.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      tls, http2
      2.0kB
      9.3kB
      21
      18

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

      HTTP Response

      204
    • 185.161.248.153:38452
      qu404210.exe
      260 B
      5
    • 185.161.248.153:38452
      qu404210.exe
      260 B
      5
    • 185.161.248.153:38452
      qu404210.exe
      260 B
      5
    • 185.161.248.153:38452
      qu404210.exe
      260 B
      5
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      160.5kB
      4.3MB
      3140
      3133

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388264_1YUAPSJ7CT2934NCP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388265_1Y6BSXJHTYRP4XCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 185.161.248.153:38452
      qu404210.exe
      260 B
      5
    • 185.161.248.153:38452
      qu404210.exe
      260 B
      5
    • 185.161.248.153:38452
      qu404210.exe
      156 B
      3
    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      148 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      200.163.202.172.in-addr.arpa
      dns
      74 B
      160 B
      1
      1

      DNS Request

      200.163.202.172.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      92.12.20.2.in-addr.arpa
      dns
      69 B
      131 B
      1
      1

      DNS Request

      92.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      170 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      10.27.171.150.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      10.27.171.150.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un691352.exe

      Filesize

      706KB

      MD5

      35f5a0def96b85eabd56d1b635d018fb

      SHA1

      b8e950018352369578e9e9106d82efcd8bbaffdf

      SHA256

      b598d5aa0877be6824e1e26ba9f15c13f10f49eee43b6d3848c51f52b0dada89

      SHA512

      ba4965fcf29a989850b3b5394201c57a9145f9a7e5bd0b674c5c5ad31647ccaa69e2d993b1d6d926b4bc353ef1d9f910c66e543d09ec2146e42a7a92d8f6ef15

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un064279.exe

      Filesize

      552KB

      MD5

      b25cf7ae2fd408ea5762ae2f8a796dd4

      SHA1

      90a5fab1379b33a16e6fb708d7f5551b132dd70c

      SHA256

      3c016432c9612a1fe7e65a8f4e7c8afb165f1550c8f41cba4a70a6b9412c7811

      SHA512

      823f40b7954a90fcca00d17fa74a0263b173b4e655a3b646a352bf85eef398935b5c2453cadbcb8a78b95caee6019a59c282c39434537c6e317877b9c1519133

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr034223.exe

      Filesize

      299KB

      MD5

      8d6d540245fb52dc92887782e306a0b2

      SHA1

      a41438aa13144b61b308b7e123d9b944f292ed5f

      SHA256

      bbe2dac947957f47143be121b110a50cef138d33c6a51cb2c6f8e319db11d336

      SHA512

      3b11d678638d045091846551f6b7f8c900215e409f1ff72ceb5c0c63ad5b4da3d31899de7ef40b4e0e7f7b54f1afae4fa31ddecd4c35693d984040fef698b9d5

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404210.exe

      Filesize

      382KB

      MD5

      21e48c59e4f9909ec65832db17e071d7

      SHA1

      97f915b00fe752dfc9744353eb9e3b4074e8a16e

      SHA256

      45e7a4eede302850f83c3cc4a8ad0a296bc274a1ea88661845d7d706773d31a3

      SHA512

      ca3341163cd513653c1529d87a1eed05366b81f95a3bdacfe49b8c82218c4ebcf2ca404a92b6ff9dec175c6047353be9e86c906bf95c202f45f19d34510be350

    • memory/372-42-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-40-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-32-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-52-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-50-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-48-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-46-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-44-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-23-0x0000000007560000-0x0000000007B04000-memory.dmp

      Filesize

      5.6MB

    • memory/372-24-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

      Filesize

      96KB

    • memory/372-38-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-36-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-34-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-30-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-28-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-26-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-25-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

      Filesize

      72KB

    • memory/372-53-0x0000000000400000-0x0000000002BB5000-memory.dmp

      Filesize

      39.7MB

    • memory/372-22-0x0000000004790000-0x00000000047AA000-memory.dmp

      Filesize

      104KB

    • memory/372-55-0x0000000000400000-0x0000000002BB5000-memory.dmp

      Filesize

      39.7MB

    • memory/2056-60-0x0000000004910000-0x000000000494C000-memory.dmp

      Filesize

      240KB

    • memory/2056-61-0x0000000007310000-0x000000000734A000-memory.dmp

      Filesize

      232KB

    • memory/2056-65-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-71-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-95-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-91-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-89-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-87-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-85-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-83-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-81-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-79-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-77-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-75-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-69-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-67-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-93-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-73-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-63-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-62-0x0000000007310000-0x0000000007345000-memory.dmp

      Filesize

      212KB

    • memory/2056-854-0x0000000009DF0000-0x000000000A408000-memory.dmp

      Filesize

      6.1MB

    • memory/2056-855-0x000000000A490000-0x000000000A4A2000-memory.dmp

      Filesize

      72KB

    • memory/2056-856-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

      Filesize

      1.0MB

    • memory/2056-857-0x000000000A5E0000-0x000000000A61C000-memory.dmp

      Filesize

      240KB

    • memory/2056-858-0x0000000006E00000-0x0000000006E4C000-memory.dmp

      Filesize

      304KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.