Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0d378cae60...d9.exe

windows7-x64

7

0d378cae60...d9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 06:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d378cae60f385be83748e9d64d823d9.exe

  • Size

    506KB

  • MD5

    0d378cae60f385be83748e9d64d823d9

  • SHA1

    2908b6cd0ea103d677bdd28f20d39b6fd9b1d899

  • SHA256

    95e37b1407516365c0a7345abd128443d27bc4810866ee985cd2ca2695ce91f2

  • SHA512

    4b59a98be3508dcbbf5ecec79c5386085a6fb1092ee762ae5988e490e3e7719ca09f16ebe1bb3e3ae58688458dddb27a5c6d0546d73c54855bdf0cb0fd518661

  • SSDEEP

    12288:XCeezHRa9nSEpf+6op4lPrteJUOZenhaJbKTyduhAeRJobkHYY9h2WAWsT:VWHI9nhGz2PpeJUOwhEbcyduhAeRJ2ko

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe
    "C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
    • C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe
      C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe" /TN Google_Trk_Updater /F
        3⤵
        • Creates scheduled task(s)
        PID:4740

Network

  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.vxVH3WRSDc.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    www.vxVH3WRSDc.com
    IN A
    Response
  • flag-us
    DNS
    www.vxVH3WRSDc.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    www.vxVH3WRSDc.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    w.google.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
    Response
    w.google.com
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    142.250.200.46
  • flag-us
    DNS
    w.google.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
  • flag-us
    DNS
    w.google.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    w.google.com
    IN A
  • flag-us
    DNS
    85.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=21E28F0AA0ED6BB002DB9CFEA10D6A39; domain=.bing.com; expires=Mon, 20-Jan-2025 11:28:48 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4828A1C26BA3459FACC5DCD6B727FCF6 Ref B: LON04EDGE1014 Ref C: 2023-12-27T11:28:48Z
    date: Wed, 27 Dec 2023 11:28:47 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=21E28F0AA0ED6BB002DB9CFEA10D6A39
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=KUidlxI_lUPzuXHNaKVg7tDtVv1RUNTddVTCa4Xt3No; domain=.bing.com; expires=Mon, 20-Jan-2025 11:28:48 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A2F81C0D7DC3463497A6BF1902339B73 Ref B: LON04EDGE1014 Ref C: 2023-12-27T11:28:48Z
    date: Wed, 27 Dec 2023 11:28:47 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=21E28F0AA0ED6BB002DB9CFEA10D6A39; MSPTC=KUidlxI_lUPzuXHNaKVg7tDtVv1RUNTddVTCa4Xt3No
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 53D8B98A36D84DE28FD0D983F7C5ECA5 Ref B: LON04EDGE1014 Ref C: 2023-12-27T11:28:48Z
    date: Wed, 27 Dec 2023 11:28:47 GMT
  • flag-gb
    GET
    http://w.google.com/
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    142.250.200.46:80
    Request
    GET / HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: w.google.com
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=UTF-8
    Referrer-Policy: no-referrer
    Content-Length: 1561
    Date: Wed, 27 Dec 2023 11:28:47 GMT
  • flag-us
    DNS
    pastebin.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.68.143
    pastebin.com
    IN A
    172.67.34.170
    pastebin.com
    IN A
    104.20.67.143
  • flag-us
    DNS
    pastebin.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    46.200.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.200.250.142.in-addr.arpa
    IN PTR
    Response
    46.200.250.142.in-addr.arpa
    IN PTR
    lhr48s30-in-f141e100net
  • flag-us
    DNS
    46.200.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.200.250.142.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    46.200.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.200.250.142.in-addr.arpa
    IN PTR
  • flag-us
    GET
    http://pastebin.com/raw/ubFNTPjt
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    104.20.68.143:80
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 27 Dec 2023 11:28:49 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Wed, 27 Dec 2023 12:28:49 GMT
    Location: https://pastebin.com/raw/ubFNTPjt
    Server: cloudflare
    CF-RAY: 83c138e5dcd96511-LHR
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    0d378cae60f385be83748e9d64d823d9.exe
    Remote address:
    104.20.68.143:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*, ???@, ??????????????
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 27 Dec 2023 11:28:56 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 1524
    Server: cloudflare
    CF-RAY: 83c139137c8f885f-LHR
  • flag-us
    DNS
    143.68.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    143.68.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301292_1GDVMD25ARDBL3246&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301292_1GDVMD25ARDBL3246&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 350429
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 385F35251E194878A835D1A5EF57D1F1 Ref B: LON04EDGE0713 Ref C: 2023-12-27T11:30:28Z
    date: Wed, 27 Dec 2023 11:30:27 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301013_1R2AO9YZ4I5BGB4K2&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301013_1R2AO9YZ4I5BGB4K2&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 242979
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8E29AEEA423045E9A650824D013F8E1C Ref B: LON04EDGE0713 Ref C: 2023-12-27T11:30:28Z
    date: Wed, 27 Dec 2023 11:30:27 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301701_11UGRWY4Y5ZEF3873&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301701_11UGRWY4Y5ZEF3873&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 220516
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FE581CC0E51D4ECF88482E3C9DDF9C8B Ref B: LON04EDGE0713 Ref C: 2023-12-27T11:30:28Z
    date: Wed, 27 Dec 2023 11:30:27 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301363_1WE6EYE966X44O8SM&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301363_1WE6EYE966X44O8SM&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 248666
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 11DDE7CCA8F144C0BCA06F6F88CC1456 Ref B: LON04EDGE0713 Ref C: 2023-12-27T11:30:28Z
    date: Wed, 27 Dec 2023 11:30:27 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301446_1EN88Z1GJDY90F0IF&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301446_1EN88Z1GJDY90F0IF&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 344167
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C4F1C9DB18974666BD78C3EE70E232F0 Ref B: LON04EDGE0713 Ref C: 2023-12-27T11:30:29Z
    date: Wed, 27 Dec 2023 11:30:28 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300930_1B4HRW1RKZ6W0T4CC&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317300930_1B4HRW1RKZ6W0T4CC&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 382509
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 96EDE165060043FBB7ECDD0A406F6168 Ref B: LON04EDGE0713 Ref C: 2023-12-27T11:30:34Z
    date: Wed, 27 Dec 2023 11:30:34 GMT
  • flag-us
    DNS
    198.111.78.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.111.78.13.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
    tls, http2
    2.5kB
     9.5kB
     24
    20

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b54e45b4c0074ab88568b04ba612348a&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

    HTTP Response

    204
  • 142.250.200.46:80
    http://w.google.com/
    http
    0d378cae60f385be83748e9d64d823d9.exe
    514 B
     2.3kB
     6
    5

    HTTP Request

    GET http://w.google.com/

    HTTP Response

    404
  • 104.20.68.143:80
    http://pastebin.com/raw/ubFNTPjt
    http
    0d378cae60f385be83748e9d64d823d9.exe
    474 B
     424 B
     5
    3

    HTTP Request

    GET http://pastebin.com/raw/ubFNTPjt

    HTTP Response

    301
  • 104.20.68.143:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    0d378cae60f385be83748e9d64d823d9.exe
    1.1kB
     4.6kB
     11
    8

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    404
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317300930_1B4HRW1RKZ6W0T4CC&pid=21.2&w=1920&h=1080&c=4
    tls, http2
    67.4kB
     1.9MB
     1366
    1363

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301292_1GDVMD25ARDBL3246&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301013_1R2AO9YZ4I5BGB4K2&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301701_11UGRWY4Y5ZEF3873&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301363_1WE6EYE966X44O8SM&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301446_1EN88Z1GJDY90F0IF&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300930_1B4HRW1RKZ6W0T4CC&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    2.1kB
     8.2kB
     17
    11
  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    www.vxVH3WRSDc.com
    dns
    0d378cae60f385be83748e9d64d823d9.exe
    128 B
     137 B
     2
    1

    DNS Request

    www.vxVH3WRSDc.com

    DNS Request

    www.vxVH3WRSDc.com

  • 8.8.8.8:53
    g.bing.com
    dns
    168 B
     158 B
     3
    1

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    w.google.com
    dns
    0d378cae60f385be83748e9d64d823d9.exe
    174 B
     95 B
     3
    1

    DNS Request

    w.google.com

    DNS Request

    w.google.com

    DNS Request

    w.google.com

    DNS Response

    142.250.200.46

  • 8.8.8.8:53
    85.177.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    85.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    0d378cae60f385be83748e9d64d823d9.exe
    174 B
     106 B
     3
    1

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Response

    104.20.68.143
    172.67.34.170
    104.20.67.143

  • 8.8.8.8:53
    46.200.250.142.in-addr.arpa
    dns
    219 B
     112 B
     3
    1

    DNS Request

    46.200.250.142.in-addr.arpa

    DNS Request

    46.200.250.142.in-addr.arpa

    DNS Request

    46.200.250.142.in-addr.arpa

  • 8.8.8.8:53
    143.68.20.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    143.68.20.104.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    146 B
     147 B
     2
    1

    DNS Request

    103.169.127.40.in-addr.arpa

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     173 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    198.111.78.13.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    198.111.78.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0d378cae60f385be83748e9d64d823d9.exe
    Filesize

    506KB

    MD5

    1a800ba67dcdadf011170eb2cc9f4d03

    SHA1

    0f55bb6e53491eefc4d881dfc352a6406d5ca533

    SHA256

    33b074134e4e1da2bff47a41d4f24b1f9fe1ae5427728c00b086f0fde35c05c4

    SHA512

    7f656f395a500fec162609c511dab8cb5ffec1ac9d6c5ffa50d0558815be1dec76e69f878f96859a42ca2bfef66d8d41cbbde42c5d738b8ea21dc46171da9bc0

    Download Submit

  • memory/336-0-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/336-1-0x0000000001510000-0x0000000001593000-memory.dmp

    Filesize

    524KB

    Download

  • memory/336-2-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/336-11-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2252-19-0x0000000004F40000-0x0000000004FBE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2252-20-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2252-13-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2252-26-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.