Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:20

General

  • Target

    22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe

  • Size

    553KB

  • MD5

    53dc1dd06f0095ff84064366287a5bf9

  • SHA1

    6a0d2d47a98c8f454e481ac39bc85e906efa7a77

  • SHA256

    22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25

  • SHA512

    19a0855a9f05a62f41b86721ac281a5df425bc5543e5b08cdcf0e4587ea4e7abbeee734e5d17c87b9794e504c874aae8ac1f2e20bd7c932fba35d0c68d13d4e7

  • SSDEEP

    12288:dMrry90IPGmtmwjTUfXN5JdKyOHJso3ZsPE3D6N:yyYmt5Uf9rg3CPEzO

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 35 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe
    "C:\Users\Admin\AppData\Local\Temp\22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6533.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6533.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1131.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1131.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3174.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3174.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4520

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0CCB2F533F276402006A3A7E3E166545; domain=.bing.com; expires=Sat, 29-Nov-2025 13:20:39 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AC2E9074FBE048CEA916A06E6280C154 Ref B: LON601060102031 Ref C: 2024-11-04T13:20:39Z
    date: Mon, 04 Nov 2024 13:20:38 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0CCB2F533F276402006A3A7E3E166545
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=zd8lLqQCghjXyX7K4oK-zwU3CY-uuoElgMveSXU8FLk; domain=.bing.com; expires=Sat, 29-Nov-2025 13:20:39 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7E2EBCB178694A52A0DB3DC1D5390ED2 Ref B: LON601060102031 Ref C: 2024-11-04T13:20:39Z
    date: Mon, 04 Nov 2024 13:20:39 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0CCB2F533F276402006A3A7E3E166545; MSPTC=zd8lLqQCghjXyX7K4oK-zwU3CY-uuoElgMveSXU8FLk
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9CA2B1C163C54BF7953C9EF75596049B Ref B: LON601060102031 Ref C: 2024-11-04T13:20:39Z
    date: Mon, 04 Nov 2024 13:20:39 GMT
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 787151
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 24DF33C827D24BF8A92653BC09010109 Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
    date: Mon, 04 Nov 2024 13:22:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 575578
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 552C14DB0A63426A868F3136A43722D4 Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
    date: Mon, 04 Nov 2024 13:22:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 604398
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 806DD2ECF7F14A43A7EA7924417CA6AD Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
    date: Mon, 04 Nov 2024 13:22:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 263416
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E762292BA57542AFA3144BF1EF785D33 Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
    date: Mon, 04 Nov 2024 13:22:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 242733
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A0C4BE64A58B4B1189CB9331407C8CFE Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
    date: Mon, 04 Nov 2024 13:22:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 589683
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 49AFD6E429824F40A7FC3D882E50650F Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
    date: Mon, 04 Nov 2024 13:22:17 GMT
  • flag-us
    DNS
    7.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    tls, http2
    2.0kB
    9.4kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    110.8kB
    3.2MB
    2310
    2304

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    160 B
    5
    4
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 193.233.20.32:4125
    qu3174.exe
    260 B
    200 B
    5
    5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    7.173.189.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    7.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6533.exe

    Filesize

    411KB

    MD5

    29b66603f1efc92986a0786993e6e37f

    SHA1

    791042aa7b2e846e33024c0564aa2141d10b9546

    SHA256

    c86eacf3f268e4692d7df61f0fb393d3482624bc4ab69a9d98b17537ad656e2a

    SHA512

    bb788b1ff8db3cb8c58e0f6ed84c783ef0098e84945533564778d8bb05ffb623161e90ebdac31030e59f4beb01eb6b6b67978b5ce6c7fadbe71dd8316746a100

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1131.exe

    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3174.exe

    Filesize

    386KB

    MD5

    e36e98caf51d5970fd79edfbf91dabe9

    SHA1

    de89501ff7072d6db46dd9a6f4b610483bd01b93

    SHA256

    37f060d8b7ce4f8ef6aba235c7a7e8384c2376989bdcd5f6f2c07cc592156e93

    SHA512

    c9fc9dfd1af9884f9cef89687dd0bd0118886ac0b185224ab258d87b8134441d8a01ec81a0feebd9b49994d9df972cd1644295ecde3be32e6c9848c70e81ba29

  • memory/2908-14-0x00007FF9013D3000-0x00007FF9013D5000-memory.dmp

    Filesize

    8KB

  • memory/2908-15-0x0000000000540000-0x000000000054A000-memory.dmp

    Filesize

    40KB

  • memory/2908-16-0x00007FF9013D3000-0x00007FF9013D5000-memory.dmp

    Filesize

    8KB

  • memory/4520-68-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-56-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-24-0x00000000071A0000-0x00000000071E4000-memory.dmp

    Filesize

    272KB

  • memory/4520-30-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-26-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-25-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-42-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-88-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-86-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-84-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-82-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-78-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-76-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-74-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-72-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-70-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-22-0x0000000004C80000-0x0000000004CC6000-memory.dmp

    Filesize

    280KB

  • memory/4520-66-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-64-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-62-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-58-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-23-0x00000000072D0000-0x0000000007874000-memory.dmp

    Filesize

    5.6MB

  • memory/4520-54-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-52-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-50-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-48-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-46-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-40-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-38-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-36-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-34-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-32-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-28-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-80-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-60-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-44-0x00000000071A0000-0x00000000071DF000-memory.dmp

    Filesize

    252KB

  • memory/4520-931-0x0000000007880000-0x0000000007E98000-memory.dmp

    Filesize

    6.1MB

  • memory/4520-932-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

    Filesize

    1.0MB

  • memory/4520-933-0x00000000072A0000-0x00000000072B2000-memory.dmp

    Filesize

    72KB

  • memory/4520-934-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

    Filesize

    240KB

  • memory/4520-935-0x0000000008100000-0x000000000814C000-memory.dmp

    Filesize

    304KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.