Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
25/03/2025, 15:11 UTC
250325-skmbpsxzaw 1025/03/2025, 15:06 UTC
250325-sg1d6a1px2 1025/03/2025, 15:01 UTC
250325-sd5jpsxyct 1025/03/2025, 14:56 UTC
250325-sbdcfaxxgs 1025/03/2025, 14:50 UTC
250325-r7ve6a1nv3 1025/03/2025, 14:46 UTC
250325-r5ab7sxwhx 1025/03/2025, 14:40 UTC
250325-r2c9paxwe1 1005/02/2025, 10:25 UTC
250205-mgcefaslhw 1005/02/2025, 10:17 UTC
250205-mbs51atmbk 1005/02/2025, 09:15 UTC
250205-k785zs1pfn 10Analysis
-
max time kernel
1584s -
max time network
1570s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 14:07 UTC
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240704-en
General
-
Target
RansomwareSamples/Babik_04_01_2021_31KB.exe
-
Size
30KB
-
MD5
e10713a4a5f635767dcd54d609bed977
-
SHA1
320d799beef673a98481757b2ff7e3463ce67916
-
SHA256
8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
-
SHA512
fed1cb7e1798ea0d131a0d4962a2b9f6c700ee3e1c9482c7837be930ce5167196ac7b1e715d9c9a5c171c349f3df3dde1a42db8e439459bc742928f9d19b38a7
-
SSDEEP
768:S4DnL4DGrUVvP917yo6Xee7amb26ZghLybmGJ87tHvg7jzTzt:SILd639NdCbXZxbytH6
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\da-DK\How To Restore Your Files.txt
babuk
http://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation Babik_04_01_2021_31KB.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt Babik_04_01_2021_31KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Babik_04_01_2021_31KB.exe File opened (read-only) \??\U: Babik_04_01_2021_31KB.exe File opened (read-only) \??\B: Babik_04_01_2021_31KB.exe File opened (read-only) \??\N: Babik_04_01_2021_31KB.exe File opened (read-only) \??\K: Babik_04_01_2021_31KB.exe File opened (read-only) \??\X: Babik_04_01_2021_31KB.exe File opened (read-only) \??\V: Babik_04_01_2021_31KB.exe File opened (read-only) \??\E: Babik_04_01_2021_31KB.exe File opened (read-only) \??\I: Babik_04_01_2021_31KB.exe File opened (read-only) \??\O: Babik_04_01_2021_31KB.exe File opened (read-only) \??\A: Babik_04_01_2021_31KB.exe File opened (read-only) \??\G: Babik_04_01_2021_31KB.exe File opened (read-only) \??\Y: Babik_04_01_2021_31KB.exe File opened (read-only) \??\M: Babik_04_01_2021_31KB.exe File opened (read-only) \??\H: Babik_04_01_2021_31KB.exe File opened (read-only) \??\J: Babik_04_01_2021_31KB.exe File opened (read-only) \??\L: Babik_04_01_2021_31KB.exe File opened (read-only) \??\Q: Babik_04_01_2021_31KB.exe File opened (read-only) \??\W: Babik_04_01_2021_31KB.exe File opened (read-only) \??\T: Babik_04_01_2021_31KB.exe File opened (read-only) \??\P: Babik_04_01_2021_31KB.exe File opened (read-only) \??\S: Babik_04_01_2021_31KB.exe File opened (read-only) \??\Z: Babik_04_01_2021_31KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3592 vssadmin.exe 3052 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe 5040 Babik_04_01_2021_31KB.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4340 vssvc.exe Token: SeRestorePrivilege 4340 vssvc.exe Token: SeAuditPrivilege 4340 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 632 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5040 wrote to memory of 936 5040 Babik_04_01_2021_31KB.exe 84 PID 5040 wrote to memory of 936 5040 Babik_04_01_2021_31KB.exe 84 PID 936 wrote to memory of 3592 936 cmd.exe 86 PID 936 wrote to memory of 3592 936 cmd.exe 86 PID 5040 wrote to memory of 952 5040 Babik_04_01_2021_31KB.exe 96 PID 5040 wrote to memory of 952 5040 Babik_04_01_2021_31KB.exe 96 PID 952 wrote to memory of 3052 952 cmd.exe 98 PID 952 wrote to memory of 3052 952 cmd.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3052
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:4884
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:632
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=31B2A7767192604C3FA8B3C3707261CE; domain=.bing.com; expires=Fri, 01-Aug-2025 14:08:37 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9D90BAE93C7C419F8188DA177E920751 Ref B: LON04EDGE1121 Ref C: 2024-07-07T14:08:37Z
date: Sun, 07 Jul 2024 14:08:36 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31B2A7767192604C3FA8B3C3707261CE
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=QcRvr1A_H5WW5SykdiY3nGRNB5pKmuFELnMnrnFMgIY; domain=.bing.com; expires=Fri, 01-Aug-2025 14:08:37 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5750D1E01BAB4E74AEEDCAB6BF9ACB3B Ref B: LON04EDGE1121 Ref C: 2024-07-07T14:08:37Z
date: Sun, 07 Jul 2024 14:08:37 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31B2A7767192604C3FA8B3C3707261CE; MSPTC=QcRvr1A_H5WW5SykdiY3nGRNB5pKmuFELnMnrnFMgIY
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AA15CF1382084CC8AD5243835B36FCD0 Ref B: LON04EDGE1121 Ref C: 2024-07-07T14:08:37Z
date: Sun, 07 Jul 2024 14:08:37 GMT
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request101.58.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.189.79.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.189.79.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request112.245.100.95.in-addr.arpaIN PTRResponse112.245.100.95.in-addr.arpaIN PTRa95-100-245-112deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.211.222.173.in-addr.arpaIN PTRResponse19.211.222.173.in-addr.arpaIN PTRa173-222-211-19deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 497379
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 69F5D6E8D25344EA8E5AF702218C0768 Ref B: LON04EDGE1115 Ref C: 2024-07-07T14:32:16Z
date: Sun, 07 Jul 2024 14:32:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301659_1X4L46L6ILPPQI95F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301659_1X4L46L6ILPPQI95F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 727780
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E2F68CA93F744DBABB9B1539AABADFE Ref B: LON04EDGE1115 Ref C: 2024-07-07T14:32:16Z
date: Sun, 07 Jul 2024 14:32:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 543646
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 266113C6D1984269B8F69E0840B56610 Ref B: LON04EDGE1115 Ref C: 2024-07-07T14:32:16Z
date: Sun, 07 Jul 2024 14:32:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301250_1MLG2SHGO160JKUMX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301250_1MLG2SHGO160JKUMX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 553950
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B7FBE4642BE54692BE40EF315853C837 Ref B: LON04EDGE1115 Ref C: 2024-07-07T14:32:16Z
date: Sun, 07 Jul 2024 14:32:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 468734
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 107B140174FC43C88501767FDAA642FC Ref B: LON04EDGE1115 Ref C: 2024-07-07T14:32:16Z
date: Sun, 07 Jul 2024 14:32:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 468841
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F2B0A638DEA146188BDFFD13C24498FA Ref B: LON04EDGE1115 Ref C: 2024-07-07T14:32:17Z
date: Sun, 07 Jul 2024 14:32:16 GMT
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=tls, http22.0kB 9.4kB 22 20
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1a3158a392834c009daeee49a004bbc5&localId=w:7B26F71D-A84A-530F-BE9F-92738B34A66D&deviceId=6966568097783141&anid=HTTP Response
204 -
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2119.9kB 3.4MB 2471 2463
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301659_1X4L46L6ILPPQI95F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301250_1MLG2SHGO160JKUMX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
20.160.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
101.58.20.217.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
142 B 145 B 2 1
DNS Request
58.189.79.40.in-addr.arpa
DNS Request
58.189.79.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
112.245.100.95.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
19.211.222.173.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD57c39bb1f4920be2be02ae6ad4fefd614
SHA13fe56e7fcbde259aba45ad36c95265bb0d3746ab
SHA256b5a0040ff5d4baccac5aff5b5fe8526f5846bf393ba6bc9c393f15a8a04a75ae
SHA5121af7546ca3565087412d9640a81a20e51e0cc01c9399a0f602f72593e950715ac46a32de0b9e234e352debfb967a2c00bba8b711ae8dc7cfc3935d6e78107568
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD5931cfaf9eaab8a1c9aaeeb81c308b20b
SHA161f5233b87497ca7db82b65cc8b7859543bf401a
SHA2568860ba65755bc59c3068fd49262d3e95050741284a1969dd9b3aa45adf152b1b
SHA512885d124cce3056bc2d4aa2669219d4b40249bb5eaec2630974763881ff3633d455582cc5a66697f96fdad2424ed7b20595c1793cd46c6b8acd5721fe3c1f53fd
-
Filesize
1KB
MD5b6e97028103bc6b18214f4b2bd0e0d23
SHA14c202c77782d55af635c28fa71b2ba58b294415e
SHA256db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45
SHA512214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d