Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe
Resource
win10v2004-20241007-en
General
-
Target
22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe
-
Size
553KB
-
MD5
53dc1dd06f0095ff84064366287a5bf9
-
SHA1
6a0d2d47a98c8f454e481ac39bc85e906efa7a77
-
SHA256
22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25
-
SHA512
19a0855a9f05a62f41b86721ac281a5df425bc5543e5b08cdcf0e4587ea4e7abbeee734e5d17c87b9794e504c874aae8ac1f2e20bd7c932fba35d0c68d13d4e7
-
SSDEEP
12288:dMrry90IPGmtmwjTUfXN5JdKyOHJso3ZsPE3D6N:yyYmt5Uf9rg3CPEzO
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b75-11.dat healer behavioral1/memory/2908-15-0x0000000000540000-0x000000000054A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1131.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro1131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1131.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4520-22-0x0000000004C80000-0x0000000004CC6000-memory.dmp family_redline behavioral1/memory/4520-24-0x00000000071A0000-0x00000000071E4000-memory.dmp family_redline behavioral1/memory/4520-30-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-26-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-25-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-42-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-88-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-86-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-84-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-82-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-78-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-76-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-74-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-72-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-70-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-68-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-66-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-64-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-62-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-58-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-56-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-54-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-52-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-50-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-48-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-46-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-40-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-38-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-36-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-34-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-32-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-28-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-80-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-60-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4520-44-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2308 unio6533.exe 2908 pro1131.exe 4520 qu3174.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1131.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio6533.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio6533.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3174.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2908 pro1131.exe 2908 pro1131.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2908 pro1131.exe Token: SeDebugPrivilege 4520 qu3174.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5116 wrote to memory of 2308 5116 22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe 84 PID 5116 wrote to memory of 2308 5116 22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe 84 PID 5116 wrote to memory of 2308 5116 22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe 84 PID 2308 wrote to memory of 2908 2308 unio6533.exe 85 PID 2308 wrote to memory of 2908 2308 unio6533.exe 85 PID 2308 wrote to memory of 4520 2308 unio6533.exe 94 PID 2308 wrote to memory of 4520 2308 unio6533.exe 94 PID 2308 wrote to memory of 4520 2308 unio6533.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe"C:\Users\Admin\AppData\Local\Temp\22a782815b4691564149c284e0b80a64afd76befd610dde439d17d318bd08b25.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6533.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6533.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1131.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1131.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3174.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3174.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0CCB2F533F276402006A3A7E3E166545; domain=.bing.com; expires=Sat, 29-Nov-2025 13:20:39 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AC2E9074FBE048CEA916A06E6280C154 Ref B: LON601060102031 Ref C: 2024-11-04T13:20:39Z
date: Mon, 04 Nov 2024 13:20:38 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0CCB2F533F276402006A3A7E3E166545
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=zd8lLqQCghjXyX7K4oK-zwU3CY-uuoElgMveSXU8FLk; domain=.bing.com; expires=Sat, 29-Nov-2025 13:20:39 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7E2EBCB178694A52A0DB3DC1D5390ED2 Ref B: LON601060102031 Ref C: 2024-11-04T13:20:39Z
date: Mon, 04 Nov 2024 13:20:39 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0CCB2F533F276402006A3A7E3E166545; MSPTC=zd8lLqQCghjXyX7K4oK-zwU3CY-uuoElgMveSXU8FLk
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9CA2B1C163C54BF7953C9EF75596049B Ref B: LON601060102031 Ref C: 2024-11-04T13:20:39Z
date: Mon, 04 Nov 2024 13:20:39 GMT
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 787151
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 24DF33C827D24BF8A92653BC09010109 Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
date: Mon, 04 Nov 2024 13:22:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 575578
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 552C14DB0A63426A868F3136A43722D4 Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
date: Mon, 04 Nov 2024 13:22:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 604398
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 806DD2ECF7F14A43A7EA7924417CA6AD Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
date: Mon, 04 Nov 2024 13:22:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 263416
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E762292BA57542AFA3144BF1EF785D33 Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
date: Mon, 04 Nov 2024 13:22:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 242733
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A0C4BE64A58B4B1189CB9331407C8CFE Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
date: Mon, 04 Nov 2024 13:22:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 589683
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 49AFD6E429824F40A7FC3D882E50650F Ref B: LON601060102062 Ref C: 2024-11-04T13:22:17Z
date: Mon, 04 Nov 2024 13:22:17 GMT
-
Remote address:8.8.8.8:53Request7.173.189.20.in-addr.arpaIN PTRResponse
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=tls, http22.0kB 9.4kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=55992805edcf44c4b66cc7c83adb00b5&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=HTTP Response
204 -
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2110.8kB 3.2MB 2310 2304
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 160 B 5 4
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
71 B 157 B 1 1
DNS Request
7.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD529b66603f1efc92986a0786993e6e37f
SHA1791042aa7b2e846e33024c0564aa2141d10b9546
SHA256c86eacf3f268e4692d7df61f0fb393d3482624bc4ab69a9d98b17537ad656e2a
SHA512bb788b1ff8db3cb8c58e0f6ed84c783ef0098e84945533564778d8bb05ffb623161e90ebdac31030e59f4beb01eb6b6b67978b5ce6c7fadbe71dd8316746a100
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
386KB
MD5e36e98caf51d5970fd79edfbf91dabe9
SHA1de89501ff7072d6db46dd9a6f4b610483bd01b93
SHA25637f060d8b7ce4f8ef6aba235c7a7e8384c2376989bdcd5f6f2c07cc592156e93
SHA512c9fc9dfd1af9884f9cef89687dd0bd0118886ac0b185224ab258d87b8134441d8a01ec81a0feebd9b49994d9df972cd1644295ecde3be32e6c9848c70e81ba29