Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

705b11db0c...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    705b11db0cf933af567d919a3bb25e0b8cc9768fb5f6b638b6029e14715140c0.exe

  • Size

    777KB

  • MD5

    0367a4874aeba4b3ecbfb20b7f455b31

  • SHA1

    77582a1b5b5bbfe7c1ae0af51cdc9472d57108fe

  • SHA256

    705b11db0cf933af567d919a3bb25e0b8cc9768fb5f6b638b6029e14715140c0

  • SHA512

    a46e85ba514c257b04535c7bb1a274a595ddb56c5835db451b08e4196280d9d4ef392a4ffcf89b2ccd3eef023acc7235b7b252b25e96688ae885ac87865d6585

  • SSDEEP

    24576:4ypsjaWOH4r5U71yt8EojxjBINTrn8IrfSH:/2JFU78iEy9wh

Score
10/10
healerredlinegenadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\705b11db0cf933af567d919a3bb25e0b8cc9768fb5f6b638b6029e14715140c0.exe
    "C:\Users\Admin\AppData\Local\Temp\705b11db0cf933af567d919a3bb25e0b8cc9768fb5f6b638b6029e14715140c0.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba5711.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba5711.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0003.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0003.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3502WR.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3502WR.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4968
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h97Lc81.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h97Lc81.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3560
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1084
            5⤵
            • Program crash
            PID:632
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iDdKj02.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iDdKj02.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3560 -ip 3560
    1⤵
      PID:3008

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=02C12BDAB002675B39FB3EF7B1C066EC; domain=.bing.com; expires=Sat, 29-Nov-2025 14:23:30 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D9E42AB16DAC45D6B39D2F5EFB386244 Ref B: LON601060105029 Ref C: 2024-11-04T14:23:30Z
      date: Mon, 04 Nov 2024 14:23:30 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=02C12BDAB002675B39FB3EF7B1C066EC
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=71ntK3lrz_fs6vSpTt9B28HmNeRXeMWd4y-2pSTkhKE; domain=.bing.com; expires=Sat, 29-Nov-2025 14:23:30 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: DB245D726E884129BC3192DF4E7A0DD6 Ref B: LON601060105029 Ref C: 2024-11-04T14:23:30Z
      date: Mon, 04 Nov 2024 14:23:30 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=02C12BDAB002675B39FB3EF7B1C066EC; MSPTC=71ntK3lrz_fs6vSpTt9B28HmNeRXeMWd4y-2pSTkhKE
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D3935443A82244C18ABA77F7D10D7E9F Ref B: LON601060105029 Ref C: 2024-11-04T14:23:30Z
      date: Mon, 04 Nov 2024 14:23:30 GMT
    • flag-us
      DNS
      2.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301058_17JUKZU9RAC77URQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301058_17JUKZU9RAC77URQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 514312
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 8BC143B1A7E94F5D9BB811EE2B3DA324 Ref B: LON601060104023 Ref C: 2024-11-04T14:25:10Z
      date: Mon, 04 Nov 2024 14:25:10 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 746576
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6E1A2D63BC0945CB8DAEB48875648464 Ref B: LON601060104023 Ref C: 2024-11-04T14:25:10Z
      date: Mon, 04 Nov 2024 14:25:10 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 435187
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4F6DE8BBC3E442F29265F50C32AB95B9 Ref B: LON601060104023 Ref C: 2024-11-04T14:25:10Z
      date: Mon, 04 Nov 2024 14:25:10 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 657438
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: BCD24D824BE243158E2ED7000D79A79B Ref B: LON601060104023 Ref C: 2024-11-04T14:25:10Z
      date: Mon, 04 Nov 2024 14:25:10 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 490098
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6146B52C5A654C1181D607B217494779 Ref B: LON601060104023 Ref C: 2024-11-04T14:25:10Z
      date: Mon, 04 Nov 2024 14:25:10 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301491_1LL1FHWSDTTTRGIZC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301491_1LL1FHWSDTTTRGIZC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 422407
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 17EC64434D414B92B12FFD9F7A67DCE9 Ref B: LON601060104023 Ref C: 2024-11-04T14:25:11Z
      date: Mon, 04 Nov 2024 14:25:11 GMT
    • 150.171.27.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
      tls, http2
      2.0kB
       9.4kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc6c54a6d0e1401fbf714a7cc365fd9a&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

      HTTP Response

      204
    • 193.233.20.30:4125
      iDdKj02.exe
      260 B
       5
    • 193.233.20.30:4125
      iDdKj02.exe
      260 B
       5
    • 193.233.20.30:4125
      iDdKj02.exe
      260 B
       5
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301491_1LL1FHWSDTTTRGIZC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      116.3kB
       3.4MB
       2456
      2450

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301058_17JUKZU9RAC77URQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301491_1LL1FHWSDTTTRGIZC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 193.233.20.30:4125
      iDdKj02.exe
      260 B
       5
    • 193.233.20.30:4125
      iDdKj02.exe
      208 B
       4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      2.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      2.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      146 B
       144 B
       2
      1

      DNS Request

      95.221.229.192.in-addr.arpa

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      146 B
       147 B
       2
      1

      DNS Request

      104.219.191.52.in-addr.arpa

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       170 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba5711.exe
      Filesize

      635KB

      MD5

      02e4913546ccdf8bfc8f80daa8ae0463

      SHA1

      8e9ed3851ea59dc646cc1fb5a9686d0b1ebabfee

      SHA256

      0d2aeab589e66bc2af8825e0e0449d8762ad3586c753f2a3b8ef9071a9338f29

      SHA512

      84d3d4f1bc04464d95abbc83690bac279a628adf02bdc62bcb2767a5d3d8b5f69d5446e4596c793d7d173bd32ba56737e09edfeb32ff5cfdd19223a59c730349

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iDdKj02.exe
      Filesize

      287KB

      MD5

      a8b7dd84ddda5bd29f9e1a6de036feea

      SHA1

      243a1d14e714a46b1a0a66e6cd20cd3a76aa163d

      SHA256

      ec566375190f3ec7438a9dd6474b2f75a515ca51e70686b7d4ace9daec33b658

      SHA512

      8e8cfa700cfdbc217ebe36c639cca0e246730ce3e6cbbc289dab8fbc3cf602218340b717a1112b1ba299098dd62edeb500cd4ca65ae4d55314e5ceadd34a7919

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0003.exe
      Filesize

      314KB

      MD5

      617d48d250a9832865b48d565a696fba

      SHA1

      71cad04bdae0b21743c6fed69e080618003732f8

      SHA256

      ef756b45b6d465f94f914bbcad3e0e793e69bf10c737e7ca102363ad5ebd4e65

      SHA512

      fed804cfff1b53a5053fa7fb592cf6a3912f89e381427f5461e24c6a8779ec1de8b788db0c21954b720bdf3dc6383c425d4e9ae88c308202ba5063c3c1e97ce1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3502WR.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h97Lc81.exe
      Filesize

      229KB

      MD5

      c5013f742c2f23d212033ba2fab5e36a

      SHA1

      064cb4f934280ecad09b73b2eaaf180e57daf267

      SHA256

      2e8f7fb3e1f60c242e3345c0ebca7d24b4613a4f2bcc8b7aab964dfc544946bc

      SHA512

      c5c4e062a6ecef324c2070fb60daa07a40cda370634a66f35b5666d8e65041091b269b97ce3df8466b0a378d5b5a9b6d273ba5a4b9c06e3801311e35c92e1e88

      Download Submit

    • memory/3128-74-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-84-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-976-0x00000000058E0000-0x00000000059EA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3128-975-0x0000000005240000-0x0000000005858000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3128-69-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-92-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-96-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-72-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-978-0x0000000005A40000-0x0000000005A7C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3128-70-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-76-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-78-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-82-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-977-0x0000000005A20000-0x0000000005A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3128-86-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-88-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-90-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-94-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-98-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-100-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-102-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-80-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3128-979-0x0000000005B90000-0x0000000005BDC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3128-67-0x0000000004B30000-0x0000000004B76000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3128-68-0x0000000004BF0000-0x0000000004C34000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3560-53-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-62-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/3560-60-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/3560-32-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-33-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-35-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-49-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-39-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-41-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-43-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-45-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-37-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-47-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-51-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-55-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-57-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-59-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3560-31-0x0000000002370000-0x0000000002388000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3560-30-0x0000000004BB0000-0x0000000005154000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3560-29-0x00000000008A0000-0x00000000008BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4968-23-0x00007FF92F2C3000-0x00007FF92F2C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4968-22-0x0000000000530000-0x000000000053A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4968-21-0x00007FF92F2C3000-0x00007FF92F2C5000-memory.dmp

      Filesize

      8KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.