Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Redline_20...er.exe
windows7-x64
3Redline_20...er.exe
windows10-2004-x64
3Redline_20...db.dll
windows7-x64
1Redline_20...db.dll
windows10-2004-x64
1Redline_20...db.dll
windows7-x64
1Redline_20...db.dll
windows10-2004-x64
1Redline_20...ks.dll
windows7-x64
1Redline_20...ks.dll
windows10-2004-x64
1Redline_20...il.dll
windows7-x64
1Redline_20...il.dll
windows10-2004-x64
1Redline_20...ld.exe
windows7-x64
10Redline_20...ld.exe
windows10-2004-x64
10Redline_20...ub.exe
windows7-x64
10Redline_20...ub.exe
windows10-2004-x64
10Redline_20...st.exe
windows7-x64
3Redline_20...st.exe
windows10-2004-x64
3Redline_20...CF.dll
windows7-x64
1Redline_20...CF.dll
windows10-2004-x64
1Redline_20...er.exe
windows7-x64
4Redline_20...er.exe
windows10-2004-x64
4Redline_20...).docx
windows7-x64
4Redline_20...).docx
windows10-2004-x64
1Redline_20...).docx
windows7-x64
4Redline_20...).docx
windows10-2004-x64
1Redline_20...el.exe
windows7-x64
10Redline_20...el.exe
windows10-2004-x64
10Redline_20...me.exe
windows7-x64
6Redline_20...me.exe
windows10-2004-x64
6Redline_20...48.exe
windows7-x64
7Redline_20...48.exe
windows10-2004-x64
7Redline_20...ar.exe
windows7-x64
1Redline_20...ar.exe
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 15:23 UTC
Behavioral task
behavioral1
Sample
Redline_2021_stealer-main/Kurome.Builder/Kurome.Builder.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Redline_2021_stealer-main/Kurome.Builder/Kurome.Builder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
Redline_2021_stealer-main/Kurome.Builder/Mono.Cecil.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Redline_2021_stealer-main/Kurome.Builder/build.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
Redline_2021_stealer-main/Kurome.Builder/build.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Redline_2021_stealer-main/Kurome.Builder/stub.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Redline_2021_stealer-main/Kurome.Builder/stub.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.Host.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.Host.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.WCF.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.WCF.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Redline_2021_stealer-main/Kurome.Loader/Kurome.Loader.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Redline_2021_stealer-main/Kurome.Loader/Kurome.Loader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/FAQ (English).docx
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/FAQ (English).docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/FAQ(RUS).docx
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/FAQ(RUS).docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win10v2004-20241007-en
General
-
Target
Redline_2021_stealer-main/Panel/RedLine_20_2/FAQ (English).docx
-
Size
30KB
-
MD5
a973ea85439ddfe86379d47e19da4dca
-
SHA1
78f60711360ddd46849d128e7a5d1b68b1d43f9f
-
SHA256
c197833a3fd69e98fbf2b02e9da232ff2867e1e684d420fd3975188c0e0e202b
-
SHA512
4a3fad33cccb15ea2d98bc30141744ba6709afec52d429ac0916aa656f4b611fdeda4b37812f0a72b90de000fc5c0f95bb445e5df67fc4ba6f93de5ce55df510
-
SSDEEP
768:oi87zWNuZn3IZElFoL+goT2Ir9259IQ+409:oi8mQnXFoigoRr9aIvX9
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1260 WINWORD.EXE 1260 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Redline_2021_stealer-main\Panel\RedLine_20_2\FAQ (English).docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1260
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request46.28.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestroaming.officeapps.live.comIN AResponseroaming.officeapps.live.comIN CNAMEprod.roaming1.live.com.akadns.netprod.roaming1.live.com.akadns.netIN CNAMEeur.roaming1.live.com.akadns.neteur.roaming1.live.com.akadns.netIN CNAMEneu-azsc-000.roaming.officeapps.live.comneu-azsc-000.roaming.officeapps.live.comIN CNAMEosiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.comosiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.comIN A52.109.76.243
-
Remote address:52.109.76.243:443RequestPOST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_115
X-OfficeVersion: 16.0.18228.30578
X-OfficeCluster: neu-000.roaming.officeapps.live.com
X-CorrelationId: 6c7f1847-e77c-43ec-968c-0759e80295d6
X-Powered-By: ASP.NET
Date: Sun, 10 Nov 2024 15:23:55 GMT
Content-Length: 654
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request243.76.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.246.116.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmetadata.templates.cdn.office.netIN AResponsemetadata.templates.cdn.office.netIN CNAMEtemplatesmetadata.office.nettemplatesmetadata.office.netIN CNAMEtemplatesmetadata.office.net.edgekey.nettemplatesmetadata.office.net.edgekey.netIN CNAMEe26769.dscb.akamaiedge.nete26769.dscb.akamaiedge.netIN A2.22.249.39e26769.dscb.akamaiedge.netIN A2.22.249.11
-
GEThttps://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527>ype=0%2C1%2C2%2C5%2CWINWORD.EXERemote address:2.22.249.39:443RequestGET /client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527>ype=0%2C1%2C2%2C5%2C HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: metadata.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Server: Kestrel
Content-Encoding: gzip
Content-Length: 1264
Cache-Control: max-age=183561
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requestbinaries.templates.cdn.office.netIN AResponsebinaries.templates.cdn.office.netIN CNAMEbinaries.templates.cdn.office.net.edgesuite.netbinaries.templates.cdn.office.net.edgesuite.netIN CNAMEa1847.dscg2.akamai.neta1847.dscg2.akamai.netIN A2.19.117.150a1847.dscg2.akamai.netIN A2.19.117.169
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851226.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: U+6dpJ0LhDVwOOzzdoONLg==
Last-Modified: Fri, 22 Apr 2016 16:09:43 GMT
ETag: 0x8D36AC88440C433
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 19a4e9a0-101e-0104-7797-a0f920000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp0403392701.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 8laspQm0xsAUTSeMcDawqA==
Last-Modified: Wed, 29 Aug 2018 18:18:47 GMT
ETag: 0x8D60DDBDD02F94A
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 0e86dec0-501e-00d1-55b9-b9e8a0000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851216.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: YoYxJM3NoTXswOcieCy4iA==
Last-Modified: Fri, 22 Apr 2016 16:09:38 GMT
ETag: 0x8D36AC8813CE0D3
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 4196af4e-901e-003f-4990-2d48e6000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851217.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: UYBOJVxXMXYDn01bVcEqsg==
Last-Modified: Fri, 22 Apr 2016 16:09:38 GMT
ETag: 0x8D36AC881987151
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 0171b447-f01e-005b-359a-1db97e000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851218.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: kqgZ1DSoquosZfDMLzO7Og==
Last-Modified: Fri, 22 Apr 2016 16:09:39 GMT
ETag: 0x8D36AC881E66CE5
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 7ac92116-501e-008c-3524-b9e224000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02835233.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: xFXEvEvsng2mfE0eU+RtWg==
Last-Modified: Fri, 22 Apr 2016 16:09:25 GMT
ETag: 0x8D36AC879BBB45C
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: bcca83ea-301e-000c-1015-b91d22000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851220.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 8Q35ApgPHVvuqWssZoQIpw==
Last-Modified: Fri, 22 Apr 2016 16:09:40 GMT
ETag: 0x8D36AC8827914A7
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: d704013f-301e-015e-1697-a09fc7000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851219.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: ae2zv4HJn+ipS7oDQIxa4Q==
Last-Modified: Fri, 22 Apr 2016 16:09:39 GMT
ETag: 0x8D36AC8822FFB6E
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: d1eac4bf-d01e-0092-5897-a00efc000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851221.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: HW+Oc6BmKkjTMgkKTIyJjw==
Last-Modified: Fri, 22 Apr 2016 16:09:40 GMT
ETag: 0x8D36AC882C4ED43
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: e4f000bb-501e-0148-0297-a06910000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851222.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: bXh7HiI9trkbaSOAYsyocg==
Last-Modified: Fri, 22 Apr 2016 16:09:41 GMT
ETag: 0x8D36AC8830E54C8
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 2bee5db1-501e-00ee-2682-b92003000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851223.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: IFr1FgTvlu8ejmAhJUH3Qg==
Last-Modified: Fri, 22 Apr 2016 16:09:41 GMT
ETag: 0x8D36AC88357BC32
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 1e858e71-b01e-0028-5118-2de1ed000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851224.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 08kDbk4RWegysbTS6dQr8A==
Last-Modified: Fri, 22 Apr 2016 16:09:42 GMT
ETag: 0x8D36AC883A171B7
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 7a3535a8-301e-0103-55f4-b69543000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851225.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: 4DPMvHunh6L4JM4JUuV9RA==
Last-Modified: Fri, 22 Apr 2016 16:09:42 GMT
ETag: 0x8D36AC883F49D7D
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b3f59ba9-f01e-00aa-4597-a0aa3c000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:2.19.117.150:443RequestGET /support/templates/en-us/tp02851227.cab HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.12527
X-Office-Application: 0
X-Office-Platform: Win32
X-Office-AudienceGroup: Production
X-Office-SessionId: 0E385E78-23FA-42E4-9726-AB8A0A7F131A
Host: binaries.templates.cdn.office.net
ResponseHTTP/1.1 200 OK
Content-Type: application/vnd.ms-cab-compressed
Content-MD5: karb7EFxz6gpK2GEkvXvNA==
Last-Modified: Fri, 22 Apr 2016 16:09:43 GMT
ETag: 0x8D36AC8848A0495
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: c81084a1-301e-0023-0625-b910e9000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 10 Nov 2024 15:24:10 GMT
Connection: keep-alive
Access-Control-Allow-Headers: *
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Origin: *
-
Remote address:8.8.8.8:53Request39.249.22.2.in-addr.arpaIN PTRResponse39.249.22.2.in-addr.arpaIN PTRa2-22-249-39deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request150.117.19.2.in-addr.arpaIN PTRResponse150.117.19.2.in-addr.arpaIN PTRa2-19-117-150deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.117.19.2.in-addr.arpaIN PTRResponse75.117.19.2.in-addr.arpaIN PTRa2-19-117-75deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.173.189.20.in-addr.arpaIN PTRResponse
-
52.109.76.243:443https://roaming.officeapps.live.com/rs/RoamingSoapService.svctls, httpWINWORD.EXE1.7kB 7.7kB 11 10
HTTP Request
POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svcHTTP Response
200 -
2.22.249.39:443https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527>ype=0%2C1%2C2%2C5%2Ctls, httpWINWORD.EXE1.3kB 6.0kB 10 11
HTTP Request
GET https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.12527>ype=0%2C1%2C2%2C5%2CHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cabtls, httpWINWORD.EXE1.9kB 44.6kB 25 39
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392701.cabtls, httpWINWORD.EXE78.9kB 2.6MB 1377 1884
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp0403392701.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cabtls, httpWINWORD.EXE2.8kB 41.1kB 37 37
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cabtls, httpWINWORD.EXE2.5kB 41.5kB 33 37
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cabtls, httpWINWORD.EXE2.4kB 37.9kB 31 34
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cabtls, httpWINWORD.EXE2.1kB 55.8kB 29 47
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cabtls, httpWINWORD.EXE2.3kB 39.9kB 30 35
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cabtls, httpWINWORD.EXE2.6kB 38.7kB 35 35
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cabtls, httpWINWORD.EXE2.5kB 40.0kB 35 36
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cabtls, httpWINWORD.EXE1.7kB 35.9kB 21 33
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cabtls, httpWINWORD.EXE2.8kB 39.9kB 36 36
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cabtls, httpWINWORD.EXE2.1kB 37.0kB 27 33
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cabtls, httpWINWORD.EXE2.4kB 39.0kB 32 35
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cabHTTP Response
200 -
2.19.117.150:443https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cabtls, httpWINWORD.EXE2.5kB 39.8kB 33 36
HTTP Request
GET https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cabHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
73.209.201.84.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
46.28.109.52.in-addr.arpa
-
73 B 248 B 1 1
DNS Request
roaming.officeapps.live.com
DNS Response
52.109.76.243
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
243.76.109.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
104.246.116.51.in-addr.arpa
-
79 B 231 B 1 1
DNS Request
metadata.templates.cdn.office.net
DNS Response
2.22.249.392.22.249.11
-
79 B 202 B 1 1
DNS Request
binaries.templates.cdn.office.net
DNS Response
2.19.117.1502.19.117.169
-
70 B 133 B 1 1
DNS Request
39.249.22.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
150.117.19.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
75.117.19.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
26.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD513c901eb185a0841dbb229252b3fd350
SHA152257cc734bc7bc88bd30c9f1c3c51c6f4f277ec
SHA2563693c6d60748280476c04810a35209316a5a0dba628243a9c0f7946d3de8aaed
SHA5123d98a8ca73329ce78c318a6257743b9ffc5c7e927e0f76a7c518bb73fce58a86732c5a2834630f5cd7c879549a251463a1123446336246d5cb032b8ba76ac50c