Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:44
Static task
static1
Behavioral task
behavioral1
Sample
d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe
Resource
win10v2004-20241007-en
General
-
Target
d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe
-
Size
966KB
-
MD5
0289899e89cf8021db0ffd8da84834c3
-
SHA1
e3251990e71e80a8b1f1ecc04ca2a1e75659689a
-
SHA256
d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0
-
SHA512
ea5dba3cf3926559ba567134396f4e1ca0f34363f59bd1b780aad1d355c4703ba94b257cb23055608547114df822b6c0e1465a95cbce714e576e7dfd5b4adb50
-
SSDEEP
24576:dyAyWtiFqmZSuSHMSBr9xcStfEeJ5U6k1Gp:4AJiFXY1BYSt8eJ5R
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/372-22-0x0000000004790000-0x00000000047AA000-memory.dmp healer behavioral1/memory/372-24-0x0000000004AD0000-0x0000000004AE8000-memory.dmp healer behavioral1/memory/372-32-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-52-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-50-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-48-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-46-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-44-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-42-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-40-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-38-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-36-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-34-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-30-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-28-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-26-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/372-25-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr034223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr034223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr034223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr034223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr034223.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr034223.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2056-60-0x0000000004910000-0x000000000494C000-memory.dmp family_redline behavioral1/memory/2056-61-0x0000000007310000-0x000000000734A000-memory.dmp family_redline behavioral1/memory/2056-65-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-71-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-95-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-91-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-89-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-87-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-85-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-83-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-81-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-79-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-77-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-75-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-69-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-67-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-93-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-73-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-63-0x0000000007310000-0x0000000007345000-memory.dmp family_redline behavioral1/memory/2056-62-0x0000000007310000-0x0000000007345000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3908 un691352.exe 4228 un064279.exe 372 pr034223.exe 2056 qu404210.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr034223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr034223.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un064279.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un691352.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 972 372 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un691352.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un064279.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr034223.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu404210.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 372 pr034223.exe 372 pr034223.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 372 pr034223.exe Token: SeDebugPrivilege 2056 qu404210.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2740 wrote to memory of 3908 2740 d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe 86 PID 2740 wrote to memory of 3908 2740 d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe 86 PID 2740 wrote to memory of 3908 2740 d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe 86 PID 3908 wrote to memory of 4228 3908 un691352.exe 87 PID 3908 wrote to memory of 4228 3908 un691352.exe 87 PID 3908 wrote to memory of 4228 3908 un691352.exe 87 PID 4228 wrote to memory of 372 4228 un064279.exe 88 PID 4228 wrote to memory of 372 4228 un064279.exe 88 PID 4228 wrote to memory of 372 4228 un064279.exe 88 PID 4228 wrote to memory of 2056 4228 un064279.exe 104 PID 4228 wrote to memory of 2056 4228 un064279.exe 104 PID 4228 wrote to memory of 2056 4228 un064279.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe"C:\Users\Admin\AppData\Local\Temp\d3519b9cebe505d310c05990f54fc79c0bf1dbbee63c952ef59f67576f645cc0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un691352.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un691352.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un064279.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un064279.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr034223.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr034223.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 10805⤵
- Program crash
PID:972
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404210.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu404210.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 372 -ip 3721⤵PID:1516
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=07EDEB318D25602C1235FE1C8C14619C; domain=.bing.com; expires=Sat, 29-Nov-2025 13:44:13 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 016573081CCB469C9C3D01915ED5BE28 Ref B: LON601060101011 Ref C: 2024-11-04T13:44:13Z
date: Mon, 04 Nov 2024 13:44:12 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07EDEB318D25602C1235FE1C8C14619C
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=8sYcuqi7eN5zXDDkqAbcflP2zBhRAuPciLFoiyxq_Zs; domain=.bing.com; expires=Sat, 29-Nov-2025 13:44:13 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B53EA0FBACEA48BC9B51FFA3D08EC3EC Ref B: LON601060101011 Ref C: 2024-11-04T13:44:13Z
date: Mon, 04 Nov 2024 13:44:12 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07EDEB318D25602C1235FE1C8C14619C; MSPTC=8sYcuqi7eN5zXDDkqAbcflP2zBhRAuPciLFoiyxq_Zs
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 58E27FE79FA344AF82FF4D4182FE270A Ref B: LON601060101011 Ref C: 2024-11-04T13:44:13Z
date: Mon, 04 Nov 2024 13:44:12 GMT
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 443303
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 82D4CE1B43994426BA749BBF1C9E4304 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
date: Mon, 04 Nov 2024 13:45:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 786549
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 31FFC481E42A40F992EA838D5BF3370F Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
date: Mon, 04 Nov 2024 13:45:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388264_1YUAPSJ7CT2934NCP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388264_1YUAPSJ7CT2934NCP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 771044
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 691F2C4FA676442D99DA03ABF67C2479 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
date: Mon, 04 Nov 2024 13:45:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388265_1Y6BSXJHTYRP4XCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388265_1Y6BSXJHTYRP4XCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 569199
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FC3C8FE22BF345D7979AABE02A6EFDB1 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
date: Mon, 04 Nov 2024 13:45:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 1093976
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B43DB6AD45E248818494B5E144CE33F3 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
date: Mon, 04 Nov 2024 13:45:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 497299
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7A91EF5C94F54E95B965BA3CFD23FD30 Ref B: LON601060105036 Ref C: 2024-11-04T13:45:47Z
date: Mon, 04 Nov 2024 13:45:47 GMT
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=tls, http22.0kB 9.3kB 21 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2f5e68578dae49c8ab7680549566c02a&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=HTTP Response
204 -
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2160.5kB 4.3MB 3140 3133
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388264_1YUAPSJ7CT2934NCP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388265_1Y6BSXJHTYRP4XCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
260 B 5
-
260 B 5
-
156 B 3
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD535f5a0def96b85eabd56d1b635d018fb
SHA1b8e950018352369578e9e9106d82efcd8bbaffdf
SHA256b598d5aa0877be6824e1e26ba9f15c13f10f49eee43b6d3848c51f52b0dada89
SHA512ba4965fcf29a989850b3b5394201c57a9145f9a7e5bd0b674c5c5ad31647ccaa69e2d993b1d6d926b4bc353ef1d9f910c66e543d09ec2146e42a7a92d8f6ef15
-
Filesize
552KB
MD5b25cf7ae2fd408ea5762ae2f8a796dd4
SHA190a5fab1379b33a16e6fb708d7f5551b132dd70c
SHA2563c016432c9612a1fe7e65a8f4e7c8afb165f1550c8f41cba4a70a6b9412c7811
SHA512823f40b7954a90fcca00d17fa74a0263b173b4e655a3b646a352bf85eef398935b5c2453cadbcb8a78b95caee6019a59c282c39434537c6e317877b9c1519133
-
Filesize
299KB
MD58d6d540245fb52dc92887782e306a0b2
SHA1a41438aa13144b61b308b7e123d9b944f292ed5f
SHA256bbe2dac947957f47143be121b110a50cef138d33c6a51cb2c6f8e319db11d336
SHA5123b11d678638d045091846551f6b7f8c900215e409f1ff72ceb5c0c63ad5b4da3d31899de7ef40b4e0e7f7b54f1afae4fa31ddecd4c35693d984040fef698b9d5
-
Filesize
382KB
MD521e48c59e4f9909ec65832db17e071d7
SHA197f915b00fe752dfc9744353eb9e3b4074e8a16e
SHA25645e7a4eede302850f83c3cc4a8ad0a296bc274a1ea88661845d7d706773d31a3
SHA512ca3341163cd513653c1529d87a1eed05366b81f95a3bdacfe49b8c82218c4ebcf2ca404a92b6ff9dec175c6047353be9e86c906bf95c202f45f19d34510be350