Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2024, 04:46 UTC

General

  • Target

    5f4371e9fcc21652c9fb3867f64d4941.exe

  • Size

    4.5MB

  • MD5

    5f4371e9fcc21652c9fb3867f64d4941

  • SHA1

    a19d69302a3993f2aca91d73bdc128e47b6ce174

  • SHA256

    9397e1a3bd7e94ae5213d8dc4edef5e73fe8c6f0306196a1ffae832a3976e9ac

  • SHA512

    3c736528fd01383b6fb37a30b306ccd0cfa6b2129cea650263d0a5488e1052c6348acac115ad394c7c70b647d42dc55f4811bd2321b11c3c4c6a37f9c8d21536

  • SSDEEP

    98304:QDC5jNxoKkMBuu/KJmiuK3gqLkWSTGHVs49M4dm8:YCj6KPBuh8XUgqLXHLM4dD

Malware Config

Signatures

  • Detect Socks5Systemz Payload 3 IoCs
  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe
    "C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp" /SL5="$8022C,4446766,54272,C:\Users\Admin\AppData\Local\Temp\5f4371e9fcc21652c9fb3867f64d4941.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe
        "C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe" -i
        3⤵
        • Executes dropped EXE
        PID:2672
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\system32\net.exe" helpmsg 1103
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1704
      • C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe
        "C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe" -s
        3⤵
        • Executes dropped EXE
        PID:4848
  • C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 helpmsg 1103
    1⤵
      PID:3536

    Network

    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      72.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=29DDAB97474463B00EE2BF9446FF6290; domain=.bing.com; expires=Tue, 04-Feb-2025 04:46:11 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 405EAB6ABC994197BFCE6E857C159A64 Ref B: LON04EDGE0918 Ref C: 2024-01-11T04:46:11Z
      date: Thu, 11 Jan 2024 04:46:11 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=29DDAB97474463B00EE2BF9446FF6290
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=fDxOAyMWZgCgbxoAVaLi86IPlgVXoAwR9nMZ1i0b_Jg; domain=.bing.com; expires=Tue, 04-Feb-2025 04:46:11 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: AABF031B92634AC1B0166E48D6B3CFC9 Ref B: LON04EDGE0918 Ref C: 2024-01-11T04:46:11Z
      date: Thu, 11 Jan 2024 04:46:11 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=29DDAB97474463B00EE2BF9446FF6290; MSPTC=fDxOAyMWZgCgbxoAVaLi86IPlgVXoAwR9nMZ1i0b_Jg
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1A15026658594F9492F52641B4F901AA Ref B: LON04EDGE0918 Ref C: 2024-01-11T04:46:11Z
      date: Thu, 11 Jan 2024 04:46:11 GMT
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      146.78.124.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      146.78.124.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      194.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      194.178.17.96.in-addr.arpa
      IN PTR
      Response
      194.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-194deploystaticakamaitechnologiescom
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      208.194.73.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      208.194.73.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.241.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.241.123.92.in-addr.arpa
      IN PTR
      Response
      104.241.123.92.in-addr.arpa
      IN PTR
      a92-123-241-104deploystaticakamaitechnologiescom
    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      119.110.54.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      119.110.54.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      176.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      176.178.17.96.in-addr.arpa
      IN PTR
      Response
      176.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-176deploystaticakamaitechnologiescom
    • flag-us
      DNS
      211.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      211.135.221.88.in-addr.arpa
      IN PTR
      Response
      211.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-211deploystaticakamaitechnologiescom
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 467227
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4CDDF70198D84306A0B323813E54CC67 Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
      date: Thu, 11 Jan 2024 04:47:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 506638
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A77DAAB585D64F1FA0D9EF2138D2CFA3 Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
      date: Thu, 11 Jan 2024 04:47:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 490296
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E9C546D9984B4CF6A9126D14EF9DECFE Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
      date: Thu, 11 Jan 2024 04:47:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 492518
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 67B24F01899F4080A11A9B429AB64A31 Ref B: LON04EDGE1017 Ref C: 2024-01-11T04:47:47Z
      date: Thu, 11 Jan 2024 04:47:46 GMT
    • flag-de
      DNS
      bxtqibj.com
      dvdreportviewer.exe
      Remote address:
      45.155.250.90:53
      Request
      bxtqibj.com
      IN A
      Response
      bxtqibj.com
      IN A
      185.196.8.22
    • flag-de
      DNS
      bxtqibj.com
      dvdreportviewer.exe
      Remote address:
      45.155.250.90:53
      Request
      bxtqibj.com
      IN A
    • flag-de
      DNS
      bxtqibj.com
      dvdreportviewer.exe
      Remote address:
      45.155.250.90:53
      Request
      bxtqibj.com
      IN A
    • flag-us
      DNS
      90.250.155.45.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      90.250.155.45.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      90.250.155.45.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      90.250.155.45.in-addr.arpa
      IN PTR
      Response
    • flag-us
      GET
      http://bxtqibj.com/click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c
      dvdreportviewer.exe
      Remote address:
      185.196.8.22:80
      Request
      GET /click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c HTTP/1.1
      Host: bxtqibj.com
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.20.1
      Date: Thu, 11 Jan 2024 04:48:15 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/7.4.33
    • flag-us
      DNS
      22.8.196.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.8.196.185.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.8.196.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.8.196.185.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      22.8.196.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.8.196.185.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      14.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.173.189.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      tls, http2
      2.0kB
      9.4kB
      22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e1979bc4cb684a6cb6b893da0a29169c&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.209:80
      92 B
      40 B
      2
      1
    • 96.17.178.209:80
      184 B
      4.9kB
      4
      5
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 96.17.178.176:80
    • 20.223.36.55:443
    • 88.221.134.32:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 96.17.178.176:80
    • 88.221.134.32:80
    • 88.221.134.32:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 93.184.221.240:80
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.3kB
      16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.3kB
      8.3kB
      17
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.3kB
      8.3kB
      17
      14
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4
      tls, http2
      72.3kB
      2.0MB
      1500
      1496

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418587_1WAY0EU9WVN81W6N5&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418588_1PJ4HLSB51V9JOSDD&pid=21.2&w=1920&h=1080&c=4

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200
    • 185.196.8.22:80
      http://bxtqibj.com/click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c
      http
      dvdreportviewer.exe
      535 B
      352 B
      5
      3

      HTTP Request

      GET http://bxtqibj.com/click/?counter=de7ef49b2c006853fb383429300ff01132ad1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f578166429e2f834798823d2b6c47a3377425879a663bdccd82385b558fdf0ffd19cada5c

      HTTP Response

      200
    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
      106 B
      1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      72.32.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      72.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      158 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      146.78.124.51.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      146.78.124.51.in-addr.arpa

    • 8.8.8.8:53
      194.178.17.96.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      194.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      208.194.73.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      208.194.73.20.in-addr.arpa

    • 8.8.8.8:53
      104.241.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      104.241.123.92.in-addr.arpa

    • 8.8.8.8:53
      158.240.127.40.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      158.240.127.40.in-addr.arpa

    • 8.8.8.8:53
      119.110.54.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      119.110.54.20.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      144 B
      158 B
      2
      1

      DNS Request

      56.126.166.20.in-addr.arpa

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      176.178.17.96.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      176.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      211.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      211.135.221.88.in-addr.arpa

    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
    • 8.8.8.8:53
      43.229.111.52.in-addr.arpa
      dns
      144 B
      316 B
      2
      2

      DNS Request

      43.229.111.52.in-addr.arpa

      DNS Request

      43.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      124 B
      346 B
      2
      2

      DNS Request

      tse1.mm.bing.net

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

      DNS Response

      204.79.197.200
      13.107.21.200

    • 45.155.250.90:53
      bxtqibj.com
      dns
      dvdreportviewer.exe
      171 B
      84 B
      3
      1

      DNS Request

      bxtqibj.com

      DNS Request

      bxtqibj.com

      DNS Request

      bxtqibj.com

      DNS Response

      185.196.8.22

    • 8.8.8.8:53
      90.250.155.45.in-addr.arpa
      dns
      144 B
      270 B
      2
      2

      DNS Request

      90.250.155.45.in-addr.arpa

      DNS Request

      90.250.155.45.in-addr.arpa

    • 8.8.8.8:53
      22.8.196.185.in-addr.arpa
      dns
      213 B
      148 B
      3
      1

      DNS Request

      22.8.196.185.in-addr.arpa

      DNS Request

      22.8.196.185.in-addr.arpa

      DNS Request

      22.8.196.185.in-addr.arpa

    • 8.8.8.8:53
      14.173.189.20.in-addr.arpa
      dns
      144 B
      316 B
      2
      2

      DNS Request

      14.173.189.20.in-addr.arpa

      DNS Request

      14.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe

      Filesize

      1024KB

      MD5

      6dd32bf998ded90dbb75fd9adc21e861

      SHA1

      d9ee6ca1688fe0e563ddc6a945798d8a04c50f77

      SHA256

      bb95d78447bb10869a3cad272392b42ea83b7d78d903fe00d81c0ac9ae2e2fb6

      SHA512

      c12a76f26301111503e78ce2c9daf80d66cbf8e61905200bc0b0b29905028bfd6111e2c16c69fff3762096ba752a317ca30603eb05e2c0b3ebb10650de5c8951

    • C:\Users\Admin\AppData\Local\DVD Drive report viewer\dvdreportviewer.exe

      Filesize

      832KB

      MD5

      7b5c1a7d9fc6b0fef2be24cc0990f8b1

      SHA1

      45932467c4ec8617d41a86d76e5d7d931f96ccea

      SHA256

      059bd0590b1b6e0497d342c2f64a0f0348e492a5cf7e02190301ab0bbbe94cce

      SHA512

      38c6baf40629beb564943ce680dd5d2136d5352b3d65fd6aff823b235ca28cfc851ee092ea378cf019c631efc276f1feb4ae4278efc71d1392af79a6b7af26b1

    • C:\Users\Admin\AppData\Local\Temp\is-OLND5.tmp\_isetup\_iscrypt.dll

      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    • C:\Users\Admin\AppData\Local\Temp\is-OLND5.tmp\_isetup\_isdecmp.dll

      Filesize

      13KB

      MD5

      a813d18268affd4763dde940246dc7e5

      SHA1

      c7366e1fd925c17cc6068001bd38eaef5b42852f

      SHA256

      e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

      SHA512

      b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

    • C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp

      Filesize

      111KB

      MD5

      809465a767988f3342e7028154fb1589

      SHA1

      85abaa8c4e80931562dc9b93f2c63b05e9c76970

      SHA256

      3c57cdd6f778e883f220be4483a9971970c9e7a3519bb7fdad219d8669e4fc2b

      SHA512

      51cb9c7d83c9ea18a02da6178ca3fc3e738985289b700e5d3677d307c378bc7638ad5b87df382503fede706e892dfa3d70a62751003d082e1c278c6c5a5195d0

    • C:\Users\Admin\AppData\Local\Temp\is-SSR65.tmp\5f4371e9fcc21652c9fb3867f64d4941.tmp

      Filesize

      688KB

      MD5

      a7662827ecaeb4fc68334f6b8791b917

      SHA1

      f93151dd228d680aa2910280e51f0a84d0cad105

      SHA256

      05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

      SHA512

      e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

    • memory/1928-134-0x00000000007A0000-0x00000000007A1000-memory.dmp

      Filesize

      4KB

    • memory/1928-132-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

    • memory/1928-13-0x00000000007A0000-0x00000000007A1000-memory.dmp

      Filesize

      4KB

    • memory/2672-121-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/2672-125-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/2672-126-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/2672-122-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4312-0-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/4312-2-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/4312-131-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/4848-133-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-153-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-128-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-137-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-138-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-141-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-144-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-147-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-154-0x0000000000880000-0x0000000000922000-memory.dmp

      Filesize

      648KB

    • memory/4848-130-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-148-0x0000000000880000-0x0000000000922000-memory.dmp

      Filesize

      648KB

    • memory/4848-157-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-160-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-161-0x0000000000880000-0x0000000000922000-memory.dmp

      Filesize

      648KB

    • memory/4848-164-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-167-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-170-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-173-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-177-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    • memory/4848-180-0x0000000000400000-0x00000000005C9000-memory.dmp

      Filesize

      1.8MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.