Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0x00030000...le.exe

windows7-x64

1

0x00030000...le.exe

windows10-2004-x64

1

0x00030000...mp.exe

windows7-x64

1

0x00030000...mp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2023, 09:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x0003000000000733-166/temp.exe

  • Size

    15KB

  • MD5

    41ccf51b3a24d3e1c6c9af8b0757022f

  • SHA1

    acfc57baadd14e910d0b8da2064ed3252c7a5ae4

  • SHA256

    c91ff88ac8b096bd1a10929dd500eb7bc53622a070cd7fc1b1d541eab2d16630

  • SHA512

    3c873540ff416d7ea4b7c6b7adf225d990c3a0eb968da42f9bca385cce60986561163967ae1587f129ca60762f76b6038dc13846eb9ec28d4ad516302fe2d0e3

  • SSDEEP

    384:6FLOnmzHEiSRVtE464nnnnn1zmijBnnndITSPtp57:6ximzHDku46Omz2

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0003000000000733-166\temp.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0003000000000733-166\temp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4352
    • \??\c:\windows\System32\wermgr.exe
      c:\windows\System32\wermgr.exe
      2⤵
        PID:3176

    Network

    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      76.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      76.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      wermgr.exe
      Remote address:
      8.8.8.8:53
      Request
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      IN A
      Response
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      IN CNAME
      star-azurefd-prod.trafficmanager.net
      star-azurefd-prod.trafficmanager.net
      IN CNAME
      shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net
      shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net
      IN CNAME
      global-entry-afdthirdparty-fallback-first.trafficmanager.net
      global-entry-afdthirdparty-fallback-first.trafficmanager.net
      IN CNAME
      shed.dual-low.part-0040.t-0009.fb-t-msedge.net
      shed.dual-low.part-0040.t-0009.fb-t-msedge.net
      IN CNAME
      part-0040.t-0009.fb-t-msedge.net
      part-0040.t-0009.fb-t-msedge.net
      IN A
      13.107.253.68
      part-0040.t-0009.fb-t-msedge.net
      IN A
      13.107.226.68
    • flag-us
      GET
      https://home-hsf2czcghwhjg7fh.z01.azurefd.net/z4lC
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /z4lC HTTP/1.1
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Host: home-hsf2czcghwhjg7fh.z01.azurefd.net
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Content-Length: 296011
      Content-Type: application/octet-stream
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0YV5bZAAAAAA4PtwuOa5jQbsCSVDyyJ0zUEFSMjAxMDgwMzg1MDM1ADA4NjM0ZWU2LWJjZWQtNDUwOS04OTE3LTYwM2E2MTRjZDlhNg==
      Date: Wed, 10 May 2023 09:05:38 GMT
    • flag-us
      DNS
      68.253.107.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.253.107.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      wermgr.exe
      Remote address:
      8.8.8.8:53
      Request
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      IN A
      Response
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      IN CNAME
      star-azurefd-prod.trafficmanager.net
      star-azurefd-prod.trafficmanager.net
      IN CNAME
      shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net
      shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net
      IN CNAME
      global-entry-afdthirdparty-fallback-first.trafficmanager.net
      global-entry-afdthirdparty-fallback-first.trafficmanager.net
      IN CNAME
      shed.dual-low.part-0040.t-0009.fb-t-msedge.net
      shed.dual-low.part-0040.t-0009.fb-t-msedge.net
      IN CNAME
      part-0040.t-0009.fb-t-msedge.net
      part-0040.t-0009.fb-t-msedge.net
      IN A
      13.107.253.68
      part-0040.t-0009.fb-t-msedge.net
      IN A
      13.107.226.68
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eWlVndOUd_Vu6qcmw3SqWtSKYmxb_HOYfsPrn5glUCZ2egHDq4Uah4d_gcBpCvQnevqSzKSTTa7DEWRzq69X3PAAMDgIt7et5CV-UPhn6IpU7uCNp9KZSxflRQqWz6sKtJByxv0mW9LPDxh5-sMPG3LpUrN98D-9pRk0fOSmRLJU
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 48
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0Y15bZAAAAAAeZARTtZMIRLVdb7qX4DQCUEFSMjAxMDMxMDExMDI3AGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:05:40 GMT
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      1.77.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.77.109.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eWlVndOUd_Vu6qcmw3SqWtSKYmxb_HOYfsPrn5glUCZ2egHDq4Uah4d_gcBpCvQnevqSzKSTTa7DEWRzq69X3PAAMDgIt7et5CV-UPhn6IpU7uCNp9KZSxflRQqWz6sKtJByxv0mW9LPDxh5-sMPG3LpUrN98D-9pRk0fOSmRLJU
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 48
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0lF5bZAAAAAAN75F5SZKmT4OsYMSr9k37UEFSMjAxMDMxMDEzMDI1AGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:06:29 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eWlVndOUd_Vu6qcmw3SqWtSKYmxb_HOYfsPrn5glUCZ2egHDq4Uah4d_gcBpCvQnevqSzKSTTa7DEWRzq69X3PAAMDgIt7et5CV-UPhn6IpU7uCNp9KZSxflRQqWz6sKtJByxv0mW9LPDxh5-sMPG3LpUrN98D-9pRk0fOSmRLJU
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 80
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0wV5bZAAAAACxJBQ1kP4rTZ5OSi9kPTBeRlJBMjMxMDUwNDE5MDIxAGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:07:13 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eWlVndOUd_Vu6qcmw3SqWtSKYmxb_HOYfsPrn5glUCZ2egHDq4Uah4d_gcBpCvQnevqSzKSTTa7DEWRzq69X3PAAMDgIt7et5CV-UPhn6IpU7uCNp9KZSxflRQqWz6sKtJByxv0mW9LPDxh5-sMPG3LpUrN98D-9pRk0fOSmRLJU
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 48
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0815bZAAAAAA7VZuYwiWpQLXxfESx5YbrTE9OMjEyMDUwNzEyMDE3AGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:08:03 GMT
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eWlVndOUd_Vu6qcmw3SqWtSKYmxb_HOYfsPrn5glUCZ2egHDq4Uah4d_gcBpCvQnevqSzKSTTa7DEWRzq69X3PAAMDgIt7et5CV-UPhn6IpU7uCNp9KZSxflRQqWz6sKtJByxv0mW9LPDxh5-sMPG3LpUrN98D-9pRk0fOSmRLJU
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 48
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0IV9bZAAAAADkO6AzZIuPQZj0nw1B595URlJBMjMxMDUwNDE3MDI3AGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:08:50 GMT
    • flag-us
      GET
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      wermgr.exe
      Remote address:
      13.107.253.68:443
      Request
      GET /safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7 HTTP/1.1
      Host: tasks-h8h4grdydtasfjck.z01.azurefd.net
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: REF=ID=mV4nyIHWWp5eWlVndOUd_Vu6qcmw3SqWtSKYmxb_HOYfsPrn5glUCZ2egHDq4Uah4d_gcBpCvQnevqSzKSTTa7DEWRzq69X3PAAMDgIt7et5CV-UPhn6IpU7uCNp9KZSxflRQqWz6sKtJByxv0mW9LPDxh5-sMPG3LpUrN98D-9pRk0fOSmRLJU
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: public,max-age=13089906
      Content-Length: 48
      Content-Type: application/vnd.google.safebrowsing-chunk
      Content-Encoding: gzip
      Age: 1714
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Alternate-Protocol: 80:quic
      X-Cache: CONFIG_NOCACHE
      X-Azure-Ref: 0U19bZAAAAACGv45cfx7aTozwYFyIL5ZZUEFSMjAxMDMxMDE0MDExAGU2ODE5ZThkLTU4OGItNDg4My1iY2M3LWViZDcyZWMxNzY3MA==
      Date: Wed, 10 May 2023 09:09:39 GMT
    • flag-us
      DNS
      26.178.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.178.89.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      assets.msn.com
      Remote address:
      8.8.8.8:53
      Request
      assets.msn.com
      IN A
      Response
      assets.msn.com
      IN CNAME
      assets.msn.com.edgekey.net
      assets.msn.com.edgekey.net
      IN CNAME
      e28578.d.akamaiedge.net
      e28578.d.akamaiedge.net
      IN A
      95.101.74.151
      e28578.d.akamaiedge.net
      IN A
      95.101.74.139
    • flag-nl
      GET
      https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=16749b0d-da0f-435a-b224-8082caf08798&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
      Remote address:
      95.101.74.151:443
      Request
      GET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=16749b0d-da0f-435a-b224-8082caf08798&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask HTTP/2.0
      host: assets.msn.com
      x-search-account: None
      accept-encoding: gzip, deflate
      x-device-machineid: {46CAA714-52CC-4AB9-A019-1AE3E3C36027}
      x-userageclass: Unknown
      x-bm-market: US
      x-bm-dateformat: M/d/yyyy
      x-device-ossku: 48
      x-bm-dtz: 0
      x-deviceid: 0100B2E609000CC3
      x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:129135BB
      sitename: www.msn.com
      x-bm-theme: 000000;0078d7
      muid: D4EAFA4AA86940188882725C6E2EF215
      x-agent-deviceid: 0100B2E609000CC3
      x-bm-onlinesearchdisabled: true
      x-bm-cbt: 1683709821
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      x-device-isoptin: false
      accept-language: en-US, en
      x-device-touch: false
      x-device-clientsession: 46C99FFEF2DD41F19FE3E266B92460BE
      cookie: MUID=D4EAFA4AA86940188882725C6E2EF215
      Response
      HTTP/2.0 200
      content-type: application/json; charset=utf-8
      server: Kestrel
      access-control-allow-credentials: true
      access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
      access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
      access-control-allow-origin: *.msn.com
      access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
      content-encoding: gzip
      ddd-authenticatedwithjwtflow: False
      ddd-usertype: AnonymousMuid
      ddd-tmpl: partialResponse:1;Nowcast_cold:1;winbadge:1;WildFire_cold:1;SportsMatch_all:1;daucoldcap:1;lowC:0;SevereWeather_cold:1;coldStart:1;tbn:0;TeaserTemp_cold:1;TeaserVisibility_cold:1;lowT:0;coldStartUpsell:1
      x-wpo-activityid: 40AAC8AB-D9AE-4851-BBA0-F15FD8B18F98|2023-05-10T09:10:23.0260213Z|fabric:/wpo|WEU|WPO_128
      ddd-feednewsitemcount: 0
      ddd-activityid: 40aac8ab-d9ae-4851-bba0-f15fd8b18f98
      ddd-strategyexecutionlatency: 00:00:00.1818414
      ddd-debugid: 40aac8ab-d9ae-4851-bba0-f15fd8b18f98|2023-05-10T09:10:23.0313325Z|fabric:/winfeed|WEU|WinFeed_313
      onewebservicelatency: 183
      x-msedge-responseinfo: 183
      x-ceto-ref: 645b5f7e020e4f949ba215e74ba427d2|2023-05-10T09:10:22.841Z
      expires: Wed, 10 May 2023 09:10:23 GMT
      date: Wed, 10 May 2023 09:10:23 GMT
      content-length: 14494
      akamai-request-bc: [a=92.123.71.151,b=775388347,c=g,n=NL__SCHIPHOL,o=20940],[a=20.23.114.34,c=o]
      server-timing: clientrtt; dur=2, clienttt; dur=196, origin; dur=196 , cdntime; dur=0
      akamai-cache-status: Miss from child
      akamai-server-ip: 92.123.71.151
      akamai-request-id: 2e377cbb
      x-as-suppresssetcookie: 1
      cache-control: private, max-age=0
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1}
      timing-allow-origin: *
      vary: Origin
    • flag-us
      DNS
      151.74.101.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      151.74.101.95.in-addr.arpa
      IN PTR
      Response
      151.74.101.95.in-addr.arpa
      IN PTR
      a95-101-74-151deploystaticakamaitechnologiescom
    • 13.107.253.68:443
      https://home-hsf2czcghwhjg7fh.z01.azurefd.net/z4lC
      tls, http
      wermgr.exe
      12.8kB
       314.4kB
       264
      264

      HTTP Request

      GET https://home-hsf2czcghwhjg7fh.z01.azurefd.net/z4lC

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.5kB
       7.5kB
       12
      12

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 52.242.101.226:443
      260 B
       5
    • 20.189.173.5:443
      322 B
       7
    • 88.221.25.155:80
      322 B
       7
    • 173.223.113.164:443
      322 B
       7
    • 173.223.113.131:80
      322 B
       7
    • 204.79.197.203:80
      322 B
       7
    • 52.242.101.226:443
      260 B
       5
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.8kB
       7.5kB
       12
      12

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 52.242.101.226:443
      260 B
       5
    • 52.242.101.226:443
      260 B
       5
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.8kB
       7.5kB
       12
      12

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 52.242.101.226:443
      260 B
       5
    • 52.242.101.226:443
      260 B
       5
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.8kB
       7.5kB
       12
      12

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 52.242.101.226:443
      260 B
       5
    • 52.242.101.226:443
      260 B
       5
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.8kB
       7.5kB
       12
      12

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 13.107.253.68:443
      https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7
      tls, http
      wermgr.exe
      1.8kB
       7.5kB
       12
      11

      HTTP Request

      GET https://tasks-h8h4grdydtasfjck.z01.azurefd.net/safebrowsing/ugrOfixMX/bL7MkkGJlY8PYKt6avb0j7

      HTTP Response

      200
    • 95.101.74.151:443
      https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=16749b0d-da0f-435a-b224-8082caf08798&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
      tls, http2
      3.1kB
       24.3kB
       32
      31

      HTTP Request

      GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=16749b0d-da0f-435a-b224-8082caf08798&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

      HTTP Response

      200
    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      76.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      76.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      home-hsf2czcghwhjg7fh.z01.azurefd.net
      dns
      wermgr.exe
      83 B
       348 B
       1
      1

      DNS Request

      home-hsf2czcghwhjg7fh.z01.azurefd.net

      DNS Response

      13.107.253.68
      13.107.226.68

    • 8.8.8.8:53
      68.253.107.13.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      68.253.107.13.in-addr.arpa

    • 8.8.8.8:53
      tasks-h8h4grdydtasfjck.z01.azurefd.net
      dns
      wermgr.exe
      84 B
       349 B
       1
      1

      DNS Request

      tasks-h8h4grdydtasfjck.z01.azurefd.net

      DNS Response

      13.107.253.68
      13.107.226.68

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      1.77.109.52.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      1.77.109.52.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      26.178.89.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      26.178.89.13.in-addr.arpa

    • 8.8.8.8:53
      assets.msn.com
      dns
      60 B
       166 B
       1
      1

      DNS Request

      assets.msn.com

      DNS Response

      95.101.74.151
      95.101.74.139

    • 8.8.8.8:53
      151.74.101.95.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      151.74.101.95.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3176-135-0x0000029D09A60000-0x0000029D09B98000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3176-136-0x0000029D09660000-0x0000029D09768000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3176-137-0x0000029D07AD0000-0x0000029D07AD2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3176-138-0x0000029D09660000-0x0000029D09768000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4352-133-0x000002A1C77C0000-0x000002A1C77C8000-memory.dmp

      Filesize

      32KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.