remcos | 63c6397f3431639ee54b68cf2837024862d699ccdc41cddf64058be91ae0b87e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 08:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Edgeviewwebs.exe
Size

2.5MB
MD5

00c1daf7a4eb037fe33278fe676663ea
SHA1

d39aeaf8b76b6176109958653db7dbd64fa69882
SHA256

63c6397f3431639ee54b68cf2837024862d699ccdc41cddf64058be91ae0b87e
SHA512

5824bff18621563fb94bfef2742b922e5bb32d09a5b6b44415e67104dd59552b94e977b2ce3ea608728c721bd96fa256bf89f6b5892290a1346c8eee532391c1
SSDEEP

49152:cTuaAhwBhBtt49Y5t/RaSuCALkusLGZOC6c/EHXEAFJzQyMN/:cKaAh0y252SuC6kusCZjY3EAzzG/

Score

10^/10

remcos edgeweb discovery rat

Malware Config

Extracted

Family

remcos

Version

6.1.0 Light

Botnet

Edgeweb

72.5.42.161:6666

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Edg-G6MPI6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
37	2024	cmd.exe
51	2024	cmd.exe
58	2024	cmd.exe
60	2024	cmd.exe
64	2024	cmd.exe
65	2024	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
5916	Edgeviewwebs.exe
2188	TurboActivate.exe
5276	TurboActivate.exe

Loads dropped DLL 3 IoCs

pid	Process
5916	Edgeviewwebs.exe
2188	TurboActivate.exe
5276	TurboActivate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5276 set thread context of 5108	5276	TurboActivate.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgeviewwebs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgeviewwebs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurboActivate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurboActivate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2188	TurboActivate.exe
5276	TurboActivate.exe
5276	TurboActivate.exe
5276	TurboActivate.exe
5108	cmd.exe
5108	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5276	TurboActivate.exe
5108	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 5916	2376	Edgeviewwebs.exe	86
PID 2376 wrote to memory of 5916	2376	Edgeviewwebs.exe	86
PID 2376 wrote to memory of 5916	2376	Edgeviewwebs.exe	86
PID 5916 wrote to memory of 2188	5916	Edgeviewwebs.exe	88
PID 5916 wrote to memory of 2188	5916	Edgeviewwebs.exe	88
PID 5916 wrote to memory of 2188	5916	Edgeviewwebs.exe	88
PID 2188 wrote to memory of 5276	2188	TurboActivate.exe	89
PID 2188 wrote to memory of 5276	2188	TurboActivate.exe	89
PID 2188 wrote to memory of 5276	2188	TurboActivate.exe	89
PID 5276 wrote to memory of 5108	5276	TurboActivate.exe	90
PID 5276 wrote to memory of 5108	5276	TurboActivate.exe	90
PID 5276 wrote to memory of 5108	5276	TurboActivate.exe	90
PID 5276 wrote to memory of 5108	5276	TurboActivate.exe	90
PID 5108 wrote to memory of 2024	5108	cmd.exe	98
PID 5108 wrote to memory of 2024	5108	cmd.exe	98
PID 5108 wrote to memory of 2024	5108	cmd.exe	98
PID 5108 wrote to memory of 2024	5108	cmd.exe	98
PID 5108 wrote to memory of 2024	5108	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe
"C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\TEMP\{BFA67B5D-9344-4CA3-A430-DE8B481F2429}\.cr\Edgeviewwebs.exe
  "C:\Windows\TEMP\{BFA67B5D-9344-4CA3-A430-DE8B481F2429}\.cr\Edgeviewwebs.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Edgeviewwebs.exe" -burn.filehandle.attached=664 -burn.filehandle.self=624
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5916
- - C:\Windows\TEMP\{801F021D-9BDB-4503-98AE-42A8E1D48904}\.ba\TurboActivate.exe
    C:\Windows\TEMP\{801F021D-9BDB-4503-98AE-42A8E1D48904}\.ba\TurboActivate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Roaming\CJRMake_test\TurboActivate.exe
      C:\Users\Admin\AppData\Roaming\CJRMake_test\TurboActivate.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:5276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:2024

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3D87A66E926A6F192AABB3D893E16EEE; domain=.bing.com; expires=Wed, 15-Apr-2026 08:05:50 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 72F6BB99E94E48EE83AD79140F40856A Ref B: FRA31EDGE0407 Ref C: 2025-03-21T08:05:50Z
date: Fri, 21 Mar 2025 08:05:50 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D87A66E926A6F192AABB3D893E16EEE

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=SyFkiyJc_b02u8oiREsDN_hYmKoquj1FEjedaJjbeG8; domain=.bing.com; expires=Wed, 15-Apr-2026 08:05:50 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7FD7C1804AC5430BB6F6F0A04C6FC79E Ref B: FRA31EDGE0407 Ref C: 2025-03-21T08:05:50Z
date: Fri, 21 Mar 2025 08:05:50 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3D87A66E926A6F192AABB3D893E16EEE; MSPTC=SyFkiyJc_b02u8oiREsDN_hYmKoquj1FEjedaJjbeG8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 71933717F03C4E04AC3C6108CF64D33A Ref B: FRA31EDGE0407 Ref C: 2025-03-21T08:05:50Z
date: Fri, 21 Mar 2025 08:05:50 GMT
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 737279
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AC8CC4E275F54205A879432751A3AFEC Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388256_1NC516VFMSDKOTW4Z&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388256_1NC516VFMSDKOTW4Z&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 561868
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 75E814774F62459C979993ED9A736598 Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 640820
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1C0E0335E23C4DE88FC0251D33087C88 Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 818456
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CA7ADDB697C4496EAFD5FFCEF8B18BA7 Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 405350
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8444528194DC46B2A0722D4BDB21A217 Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388257_1DVLSFA5DUTUMWBF0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388257_1DVLSFA5DUTUMWBF0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 620416
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DC2DF7A572374989804FD07649331F6F Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 442929
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5B6302A2287E4C82A56E7D1E03436B0D Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 688331
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E05728E6C12347AAB9B689E318324F27 Ref B: FRA31EDGE0220 Ref C: 2025-03-21T08:05:51Z
date: Fri, 21 Mar 2025 08:05:51 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Fri, 21 Mar 2025 07:29:32 GMT
Expires: Fri, 21 Mar 2025 08:19:32 GMT
Age: 2238
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5b4b6bc298c140fe95a322646b981f27&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

189.7kB
5.1MB
3681
3670

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388256_1NC516VFMSDKOTW4Z&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388257_1DVLSFA5DUTUMWBF0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418573_1OCPZP6XQOXA94H84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418574_15LZ4V0VK97RULTEQ&pid=21.2&c=3&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
72.5.42.161:6666

cmd.exe

260 B
5
72.5.42.161:6666

cmd.exe

260 B
5
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

384 B
355 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304
72.5.42.161:6666

cmd.exe

260 B
5
72.5.42.161:6666

cmd.exe

260 B
5
72.5.42.161:6666

cmd.exe

260 B
5
72.5.42.161:6666

cmd.exe

208 B
4

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbb6ba99

Filesize
1.1MB

MD5
348daffc404662be365a7d6016aa8375

SHA1
6f4bf70b47e72621bfeef83d3c0750b640b3cf51

SHA256
ee991c54fb7edc10dff399fe52046ce7308086c31f29d1e42e27509001e5bc3b

SHA512
ee33bcc1b655d84fc5eaeb0fc75d819ebf5842ffd2f0f12ded6756f29421aa4de91b10b5abf8f5a9afac60619befc05a987e112491abc80bde87f20a35fc8a32

Download Submit
C:\Windows\TEMP\{801F021D-9BDB-4503-98AE-42A8E1D48904}\.ba\chlamydia.ai

Filesize
907KB

MD5
9d6d7d788162b2545aedd074d3ed4934

SHA1
18d0ebfae375635ae30e819ecf2bae2a258bfbc3

SHA256
a75af108cbdaad909b209bef6689ba3c5bbe1fb4cad84b957fdf759ad54b9601

SHA512
4b8dfe1ab018d500f5424284650356682eb2bca12126379b60616be7c9c65fc0ecef03c4b138d2976a72ba466476276e96be190dd893c826be42bbc8f8e02dc6

Download Submit
C:\Windows\Temp\{801F021D-9BDB-4503-98AE-42A8E1D48904}\.ba\Decennary.dll

Filesize
626KB

MD5
77435ab4fc2663f5c0b010234bd48daa

SHA1
d772bf675e3db41ec83d49e5a92d2fa176da921e

SHA256
cdfa16d810a6616418b8332a46302ac220ff18fd3f0d5aa559447ef1ee752791

SHA512
d589621cddc629700025c7a5190feb2394c0db33b77aef122b8e666cac8fc5b02cf971adb43d712158fa1805b9a58f81aa0da99578dbe4c42dc73d0a2a9480b1

Download Submit
C:\Windows\Temp\{801F021D-9BDB-4503-98AE-42A8E1D48904}\.ba\TurboActivate.dll

Filesize
1.1MB

MD5
6eb71453c1fa92a1da76de9900dabd2e

SHA1
621d709365de5162353314ff29ef94eebd44b022

SHA256
e20c675dffa04b43dd782d97066394a58b48f4c56f0656196240b1fa866d2876

SHA512
3bc5b8c125eba4e9f15c48127e945ec39e62dc7c95b53f9349e1d78669a83409a844d5f14d0b0d41512af20f474aa75b54615d862eb0faa0f11a0c429b85c2cc

Download Submit
C:\Windows\Temp\{801F021D-9BDB-4503-98AE-42A8E1D48904}\.ba\TurboActivate.exe

Filesize
286KB

MD5
d9c75a5749132d77ae709c5eae6fe9dd

SHA1
0142e7c95d4e5a691160d3330fdb626e196715a3

SHA256
5a4a4aeba559b86db6d95eacc289ad27f84749e35cb51587d26355bf7732548a

SHA512
56b4971ecd595f2198557204eeeaf05e465c31728e2df776202199e28668c42344a7e0f52b191604b45ea0ebaa4fe050b97c7243a5f809a42c5e322f74326975

Download Submit
C:\Windows\Temp\{801F021D-9BDB-4503-98AE-42A8E1D48904}\.ba\dyskinesia.iso

Filesize
69KB

MD5
70517f819f81588a8e3ca18cddab71ab

SHA1
b3597b602ed1923c6c8f32cf45ca4aea29c970fb

SHA256
d83ca7bf0b198887864fe314561128bb1955105ebb75929a26cfecdac00758b0

SHA512
67cec4435a0aba475725df6b3145ba128bf444722aa4c142624dd15e110f9dd0d297d07db7b26b08ca815d92bef23c84eca5dda5838f217299ef87a5f86d59a6

Download Submit
C:\Windows\Temp\{BFA67B5D-9344-4CA3-A430-DE8B481F2429}\.cr\Edgeviewwebs.exe

Filesize
2.4MB

MD5
cda7e99fccff66f8c74e095b8a68ce3c

SHA1
8f18edaaae0193ccee9b8fe0ad8187238ca199b9

SHA256
11c9aa66f47deedddb7c37bcd2e4eeab947336cd6084a4996511dca48f92a368

SHA512
f08bbe26b9266767424060881f92049a10d37f94edac809edde2af32f52d3581a1c07055d4e18cd8eef7699b7c4ad95f1c21b50ac43d0378d1be3d462ee12887

Download Submit
memory/2024-53-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-55-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-59-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-58-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-57-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-56-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-54-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-45-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-47-0x00007FFF69030000-0x00007FFF69225000-memory.dmp

Filesize
2.0MB

Download
memory/2024-48-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-49-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-50-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-51-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2024-52-0x0000000000F10000-0x0000000000F87000-memory.dmp

Filesize
476KB

Download
memory/2188-19-0x0000000074110000-0x000000007428B000-memory.dmp

Filesize
1.5MB

Download
memory/2188-20-0x00007FFF69030000-0x00007FFF69225000-memory.dmp

Filesize
2.0MB

Download
memory/5108-40-0x0000000074110000-0x000000007428B000-memory.dmp

Filesize
1.5MB

Download
memory/5108-37-0x00007FFF69030000-0x00007FFF69225000-memory.dmp

Filesize
2.0MB

Download
memory/5276-32-0x0000000074110000-0x000000007428B000-memory.dmp

Filesize
1.5MB

Download
memory/5276-34-0x0000000074110000-0x000000007428B000-memory.dmp

Filesize
1.5MB

Download
memory/5276-33-0x00007FFF69030000-0x00007FFF69225000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.