Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3a96ec7643...db.exe

windows7-x64

7

3a96ec7643...db.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2023, 22:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe

  • Size

    1.8MB

  • MD5

    f3f907603e41a2133b2d629b9f98f372

  • SHA1

    82225d5cb4300acfa0a827cb7f40200171ca1c63

  • SHA256

    3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db

  • SHA512

    b69e6b2ca81a329672769db98abb8ca10d15bb1451ee3ef2df5ea29531285c794a4306ed26d13faca77d2e3c83f2136e3727c9d41c11ff1260cb28e1923c7a09

  • SSDEEP

    49152:o7h2DrmHMYyD2hP/MBE7zyZ+ABENWyg+hql:semHGqnM4z0+ABEMyFu

Score
7/10
bootkitpersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
        "C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a468E.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
            "C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
              "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1740
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1740.log
                6⤵
                • Opens file in notepad (likely ransom note)
                PID:1716
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3532
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4224

      Network

      • flag-us
        DNS
        149.177.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.177.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        149.177.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.177.190.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        180.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        180.178.17.96.in-addr.arpa
        IN PTR
        Response
        180.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-180deploystaticakamaitechnologiescom
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.a-0001.a-msedge.net
        g-bing-com.a-0001.a-msedge.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=27B52EC7B9F76A3928883D37B8D06BA5; domain=.bing.com; expires=Thu, 16-Jan-2025 22:53:19 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 91A74380960E4269AB1A197F6A5D5E33 Ref B: LON04EDGE0707 Ref C: 2023-12-23T22:53:19Z
        date: Sat, 23 Dec 2023 22:53:19 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=27B52EC7B9F76A3928883D37B8D06BA5
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=0hW9tSJ3HV-l-edjWUSIqbnKMBpSub6oBN2mo9ONoKU; domain=.bing.com; expires=Thu, 16-Jan-2025 22:53:19 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 51B48FC4BC514288BAD4E7913DC0C296 Ref B: LON04EDGE0707 Ref C: 2023-12-23T22:53:20Z
        date: Sat, 23 Dec 2023 22:53:19 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=27B52EC7B9F76A3928883D37B8D06BA5; MSPTC=0hW9tSJ3HV-l-edjWUSIqbnKMBpSub6oBN2mo9ONoKU
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 41F84F2730BB49D7859C725DB492E8AC Ref B: LON04EDGE0707 Ref C: 2023-12-23T22:53:20Z
        date: Sat, 23 Dec 2023 22:53:19 GMT
      • flag-us
        DNS
        43.58.199.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.58.199.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        41.110.16.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.110.16.96.in-addr.arpa
        IN PTR
        Response
        41.110.16.96.in-addr.arpa
        IN PTR
        a96-16-110-41deploystaticakamaitechnologiescom
      • flag-us
        DNS
        146.78.124.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        146.78.124.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        100.5.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        100.5.17.2.in-addr.arpa
        IN PTR
        Response
        100.5.17.2.in-addr.arpa
        IN PTR
        a2-17-5-100deploystaticakamaitechnologiescom
      • flag-us
        DNS
        119.110.54.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        119.110.54.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.134.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.134.221.88.in-addr.arpa
        IN PTR
        Response
        18.134.221.88.in-addr.arpa
        IN PTR
        a88-221-134-18deploystaticakamaitechnologiescom
      • flag-us
        DNS
        217.135.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.135.221.88.in-addr.arpa
        IN PTR
        Response
        217.135.221.88.in-addr.arpa
        IN PTR
        a88-221-135-217deploystaticakamaitechnologiescom
      • flag-us
        DNS
        217.135.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.135.221.88.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        217.135.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.135.221.88.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        0.205.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.205.248.87.in-addr.arpa
        IN PTR
        Response
        0.205.248.87.in-addr.arpa
        IN PTR
        https-87-248-205-0lgwllnwnet
      • flag-us
        DNS
        0.205.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.205.248.87.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        0.205.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.205.248.87.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        0.204.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.204.248.87.in-addr.arpa
        IN PTR
        Response
        0.204.248.87.in-addr.arpa
        IN PTR
        https-87-248-204-0lhrllnwnet
      • flag-us
        DNS
        0.204.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.204.248.87.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        0.204.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.204.248.87.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        174.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        174.178.17.96.in-addr.arpa
        IN PTR
        Response
        174.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-174deploystaticakamaitechnologiescom
      • flag-us
        DNS
        211.135.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        211.135.221.88.in-addr.arpa
        IN PTR
        Response
        211.135.221.88.in-addr.arpa
        IN PTR
        a88-221-135-211deploystaticakamaitechnologiescom
      • flag-us
        DNS
        211.135.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        211.135.221.88.in-addr.arpa
        IN PTR
        Response
        211.135.221.88.in-addr.arpa
        IN PTR
        a88-221-135-211deploystaticakamaitechnologiescom
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&w=1920&h=1080&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 233894
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 59B769E2FCFE416C82BD76FF4BB36147 Ref B: LON04EDGE0819 Ref C: 2023-12-23T22:55:09Z
        date: Sat, 23 Dec 2023 22:55:08 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&w=1080&h=1920&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 400533
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 86BD3789A2E545618AA640A0908BF054 Ref B: LON04EDGE0819 Ref C: 2023-12-23T22:55:09Z
        date: Sat, 23 Dec 2023 22:55:08 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 333210
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: E32FF85EEDEC47789B12A6E3DBBC037A Ref B: LON04EDGE0819 Ref C: 2023-12-23T22:55:09Z
        date: Sat, 23 Dec 2023 22:55:08 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301210_1O6WSVG17Q8FD2GN3&pid=21.2&w=1920&h=1080&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301210_1O6WSVG17Q8FD2GN3&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 384492
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 03D1FFE21C304996A19F24D281323D68 Ref B: LON04EDGE0819 Ref C: 2023-12-23T22:55:09Z
        date: Sat, 23 Dec 2023 22:55:08 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 405726
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: DFDA75FD4DC241349F89D360D4E388CD Ref B: LON04EDGE0819 Ref C: 2023-12-23T22:55:09Z
        date: Sat, 23 Dec 2023 22:55:08 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301619_1XBK40W4REDBFTJ48&pid=21.2&w=1080&h=1920&c=4
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239317301619_1XBK40W4REDBFTJ48&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 201688
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 094C244B7BEB4DC9B81E0CBCA48CF2AD Ref B: LON04EDGE0819 Ref C: 2023-12-23T22:55:19Z
        date: Sat, 23 Dec 2023 22:55:19 GMT
      • 204.79.197.200:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=
        tls, http2
        2.2kB
         9.7kB
         24
        20

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c5493a643f449bfbe17953cf0cf3015&localId=w:E944F1F3-CBEC-A3DA-080B-887FDBFE3333&deviceId=6896190258816330&anid=

        HTTP Response

        204
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.8kB
         8.2kB
         18
        13
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.8kB
         8.2kB
         18
        13
      • 204.79.197.200:443
        https://tse1.mm.bing.net/th?id=OADD2.10239317301619_1XBK40W4REDBFTJ48&pid=21.2&w=1080&h=1920&c=4
        tls, http2
        73.8kB
         2.1MB
         1511
        1499

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&w=1920&h=1080&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&w=1080&h=1920&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301210_1O6WSVG17Q8FD2GN3&pid=21.2&w=1920&h=1080&c=4

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301619_1XBK40W4REDBFTJ48&pid=21.2&w=1080&h=1920&c=4

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.7kB
         8.2kB
         16
        11
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.8kB
         8.2kB
         18
        13
      • 96.17.178.174:80
      • 8.8.8.8:53
        149.177.190.20.in-addr.arpa
        dns
        146 B
         159 B
         2
        1

        DNS Request

        149.177.190.20.in-addr.arpa

        DNS Request

        149.177.190.20.in-addr.arpa

      • 8.8.8.8:53
        158.240.127.40.in-addr.arpa
        dns
        146 B
         147 B
         2
        1

        DNS Request

        158.240.127.40.in-addr.arpa

        DNS Request

        158.240.127.40.in-addr.arpa

      • 8.8.8.8:53
        180.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        180.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        168 B
         158 B
         3
        1

        DNS Request

        g.bing.com

        DNS Request

        g.bing.com

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        241.154.82.20.in-addr.arpa
        dns
        216 B
         158 B
         3
        1

        DNS Request

        241.154.82.20.in-addr.arpa

        DNS Request

        241.154.82.20.in-addr.arpa

        DNS Request

        241.154.82.20.in-addr.arpa

      • 8.8.8.8:53
        43.58.199.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        43.58.199.20.in-addr.arpa

      • 8.8.8.8:53
        86.23.85.13.in-addr.arpa
        dns
        140 B
         144 B
         2
        1

        DNS Request

        86.23.85.13.in-addr.arpa

        DNS Request

        86.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        41.110.16.96.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        41.110.16.96.in-addr.arpa

      • 8.8.8.8:53
        146.78.124.51.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        146.78.124.51.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        100.5.17.2.in-addr.arpa
        dns
        69 B
         131 B
         1
        1

        DNS Request

        100.5.17.2.in-addr.arpa

      • 8.8.8.8:53
        119.110.54.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        119.110.54.20.in-addr.arpa

      • 8.8.8.8:53
        18.134.221.88.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        18.134.221.88.in-addr.arpa

      • 8.8.8.8:53
        217.135.221.88.in-addr.arpa
        dns
        219 B
         139 B
         3
        1

        DNS Request

        217.135.221.88.in-addr.arpa

        DNS Request

        217.135.221.88.in-addr.arpa

        DNS Request

        217.135.221.88.in-addr.arpa

      • 8.8.8.8:53
        0.205.248.87.in-addr.arpa
        dns
        213 B
         116 B
         3
        1

        DNS Request

        0.205.248.87.in-addr.arpa

        DNS Request

        0.205.248.87.in-addr.arpa

        DNS Request

        0.205.248.87.in-addr.arpa

      • 8.8.8.8:53
        0.204.248.87.in-addr.arpa
        dns
        213 B
         116 B
         3
        1

        DNS Request

        0.204.248.87.in-addr.arpa

        DNS Request

        0.204.248.87.in-addr.arpa

        DNS Request

        0.204.248.87.in-addr.arpa

      • 8.8.8.8:53
        174.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        174.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        211.135.221.88.in-addr.arpa
        dns
        146 B
         278 B
         2
        2

        DNS Request

        211.135.221.88.in-addr.arpa

        DNS Request

        211.135.221.88.in-addr.arpa

      • 8.8.8.8:53
      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        124 B
         173 B
         2
        1

        DNS Request

        tse1.mm.bing.net

        DNS Request

        tse1.mm.bing.net

        DNS Response

        204.79.197.200
        13.107.21.200

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        0c5e863b4f42e3666a8c10967ff5a592

        SHA1

        b1f368bc31b28fe047ba65ff7f15646e853cccc9

        SHA256

        0e47e74aeff65c1fc274fcb519c595232df39a52534e72616fbc2efdf67bfeba

        SHA512

        c21bb24395feea23bd40a91a20cfdae809727c199f25654bcd47c3522c3bbc3cd8574700a1c233083608bd028304b5ef656d0869f0b322bf4d84ccbcb66b38ef

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        73cfb732f08a005af2339180540e5ad0

        SHA1

        56854432e6898e594b5b5923f909649756010097

        SHA256

        01903b8f69d6f83a229c87d41a85ee136dc5db4da67a6c5efd2de926170d6a80

        SHA512

        986c793c0e84327921548cd1a70f4e98df663e5f0cba6cd2852810d9e5a25af9fb30da0af66f6fe321fcf87fd0f3736584d2a62bf39b7daf0af2a0dd4311f9b1

        Download Submit

      • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
        Filesize

        481KB

        MD5

        1db5b390daa2d070657fbdb4f5d2cc55

        SHA1

        77e633e49df484b827080753514cc376749b0ceb

        SHA256

        d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad

        SHA512

        68aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a468E.bat
        Filesize

        722B

        MD5

        d52baecab52332312c9cfd91c1c93b4a

        SHA1

        4ef7579234b84ca39916db09e963fd357825ed3a

        SHA256

        a921103c13fba602bff1ebba84c068571cc241a7ddeed5c449e3feb39cdfc546

        SHA512

        39959c66eadae716e6ab6f8b9aad9622839f722eb60807e30241dd06021e52bfe3d28efb1f09a486e3f4bcdcba3dc70a369b27e3005227288a82a439af28978d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe.exe
        Filesize

        1.8MB

        MD5

        8df415c002de30c5503e10bebd90e589

        SHA1

        ab9424620ea16ea65c031f10962eeb43d3477427

        SHA256

        7f79d589c3847081988a697fc39a32bda2ef0646070d8a6bc3b0a033f9de46cd

        SHA512

        68065a84ca612721483143c88c6143ba80ad3404f82313f3f5971840ae83e611dc62e6a7868031008eb1730316c87ce80a0f79209ace5e38b75800bf323eb1a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz.ini
        Filesize

        610B

        MD5

        b1525c1c4a65d3d12038a94de6110f2e

        SHA1

        93cf4da290212076e338631082fe95d03cec1051

        SHA256

        72cdd3d39db6165e2c21dab00dc54dec61d26893d04f555c6a18547f0478b916

        SHA512

        afa790e7661e7a9e121695040ba5eda8903ac58883ea5af216cfb01516979633d36a12febea16edac7d20cfbd6ad62bc16a40896efad139c17ae7806bad91609

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
        Filesize

        1024KB

        MD5

        20ec46b2159ac4fc3e9bed18f34f4484

        SHA1

        2d11657068d2d44e79574ee3bd20219cf11167f5

        SHA256

        f3d775e7a7558bcc0a3af23ae2fbf2d6d0693982cd1df0b9b73b32dcd42b6805

        SHA512

        7200fcaeb85dc568d496c81f2dbcfe05cbffb6250d7044e0f6404934f35cdb4cbfbe4969030c08286d98d4672c1241a8771b39e999d2a10228a14606d078448c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
        Filesize

        722KB

        MD5

        6e8a5a78cc799128941c55320f0c5614

        SHA1

        e7b650ed7ae4d0c9c4c94bdde0fefd50f4f1df31

        SHA256

        4d3bff8ad5b5c8aba8c09fa3ef81ec1c2c07e79d3328d1ba1cc49ffef5966a20

        SHA512

        d3ed9caf4277599cb16aab29b478398741cf1f24cafd7aeea5d9cb844a2d4770da5cb05df7b2df237d3f7ce902efd49059d1b9ff4339a4cbeaf5d4cdee3e0b2b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
        Filesize

        880KB

        MD5

        e2a120c385c2a4eebf3bc4cc36316878

        SHA1

        563e73e4b46fb14a6285d60df2c0d6a52e4efd27

        SHA256

        5e068f88a6fb2f3a3a4a52619c56f76f037d72dde07ce45fe4650cf8eb8438b5

        SHA512

        d038fd83ab608332706ace4d5caa4a2035e662e7d4f67156a6faed7996f009990d6038602795907b2a4294371ba6adf9e6bfcc80956ce2733db7140c019672f7

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        fb93094f20bbc5dcb79268d23f38361c

        SHA1

        516b8b78319dc3f2adbe7e4de6a4e3fba41ae76a

        SHA256

        cf70d1c51b86031f36294c54caa11f02cd09e2b82fcd286240809891c7a82eff

        SHA512

        ceeb1988199292d7792ebff568e7bb89f49b628e5df409432b2263752de9142f00101f2bfe1bfc44321ed7934e70a1bf02f9823be43a1ee0e7ea52c504ab3d0f

        Download Submit

      • C:\Windows\temp\cpuz_driver_1740.log
        Filesize

        2KB

        MD5

        0d0332a76c5e522cfdfc593c4b48971c

        SHA1

        718fed21b637f915cbae66e78ddde8ba567a89ad

        SHA256

        2f67a87914f494e0f96675e31b3550ddb2c891ff0886232bdf727fe83039f285

        SHA512

        fcc5d3d81a1e86b97a4fdb2a2282d010c176385026ef85ddd901288bd154fd359184ffb579fd0915a5726228b76cfbf0d77e4aa2e07a3438fa7343231db2c1c2

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\_desktop.ini
        Filesize

        10B

        MD5

        7ffaa74dcf5b57082a43c17464e10782

        SHA1

        c6cf002ebb82e54cb14553d044f6c61463b369a6

        SHA256

        b3bfda52765f0ec02320ef68e5fca5e0d4bb61e1ec6f062430a5711a41c1be65

        SHA512

        35ef0f681e44781b5dc20e179918be9dad7be2029093f9537cfe30bff888bc875ad32e6bbb59294dc36779829bab7aa6ebfac9e93c6a1ef5e4e7ddde85bb6de8

        Download Submit

      • memory/2080-111-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-82-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-105-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-4793-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-1074-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2080-1238-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4404-18-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4404-83-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.