Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1744s
  • max time network
    1798s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/07/2024, 09:33 UTC

General

  • Target

    windows.ps1

  • Size

    467B

  • MD5

    63f6c82077c4c39d6d9101409b16a668

  • SHA1

    09d1960993c90f39607f437a2106b65db7aeae29

  • SHA256

    18284686feab2a0753bd0059a64004d8b86bb47048065cba12d323efbb6cc891

  • SHA512

    3bbf47af04fae3e7fd921bf1319e652c879d6132d4ea495cb7d6f47a38b9a4fb09f7be4af14c2d0c7357febd893c16639268dc82ec3b9194d0d4dc54723e1a34

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe
      "C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe" -a verus -o stratum+tcp://de.vipor.net:5040 -u RHACKERwSVgjTvV4vNiTjmrkLTD7a92ALD.Windows -p x -t 2
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:3940

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
      Remote address:
      13.107.21.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=137444ECC9766C050345502FC8966D64; domain=.bing.com; expires=Fri, 15-Aug-2025 16:34:38 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D88FDBB84E184A4FAE500E883A935A8B Ref B: LON04EDGE1115 Ref C: 2024-07-21T16:34:38Z
      date: Sun, 21 Jul 2024 16:34:38 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
      Remote address:
      13.107.21.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=137444ECC9766C050345502FC8966D64
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=eXxgYmRnc5jzz5-jZxr6cca5Fc7ebRocqaOhWewdWk8; domain=.bing.com; expires=Fri, 15-Aug-2025 16:34:38 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F819D5F49C144358ADB7B042CEFE732B Ref B: LON04EDGE1115 Ref C: 2024-07-21T16:34:38Z
      date: Sun, 21 Jul 2024 16:34:38 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
      Remote address:
      13.107.21.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=137444ECC9766C050345502FC8966D64; MSPTC=eXxgYmRnc5jzz5-jZxr6cca5Fc7ebRocqaOhWewdWk8
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: DA372826A6164EEDB881288D2EEF66BD Ref B: LON04EDGE1115 Ref C: 2024-07-21T16:34:38Z
      date: Sun, 21 Jul 2024 16:34:38 GMT
    • flag-us
      DNS
      183.142.211.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.142.211.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      raw.githubusercontent.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      raw.githubusercontent.com
      IN A
      Response
      raw.githubusercontent.com
      IN A
      185.199.111.133
      raw.githubusercontent.com
      IN A
      185.199.110.133
      raw.githubusercontent.com
      IN A
      185.199.109.133
      raw.githubusercontent.com
      IN A
      185.199.108.133
    • flag-us
      GET
      https://raw.githubusercontent.com/MomboteQ/mining-scripts/main/verus/ccminer-win.zip
      powershell.exe
      Remote address:
      185.199.111.133:443
      Request
      GET /MomboteQ/mining-scripts/main/verus/ccminer-win.zip HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
      Host: raw.githubusercontent.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 1412223
      Cache-Control: max-age=300
      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
      Content-Type: application/zip
      ETag: "19ccc6d11b3c33e877316ccc6d2b2e4b2ed7138fc831e088812c7f6a799d516d"
      Strict-Transport-Security: max-age=31536000
      X-Content-Type-Options: nosniff
      X-Frame-Options: deny
      X-XSS-Protection: 1; mode=block
      X-GitHub-Request-Id: 3DA2:13AA55:15BD17:1C187B:669D103D
      Accept-Ranges: bytes
      Date: Sun, 21 Jul 2024 16:34:39 GMT
      Via: 1.1 varnish
      X-Served-By: cache-lcy-eglc8600071-LCY
      X-Cache: HIT
      X-Cache-Hits: 1
      X-Timer: S1721579679.413721,VS0,VE3
      Vary: Authorization,Accept-Encoding,Origin
      Access-Control-Allow-Origin: *
      Cross-Origin-Resource-Policy: cross-origin
      X-Fastly-Request-ID: 907ea015f99ea47de1efee8b4d6ae9107e67eb99
      Expires: Sun, 21 Jul 2024 16:39:39 GMT
      Source-Age: 99
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.21.107.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.21.107.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.111.199.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.111.199.185.in-addr.arpa
      IN PTR
      Response
      133.111.199.185.in-addr.arpa
      IN PTR
      cdn-185-199-111-133githubcom
    • flag-us
      DNS
      de.vipor.net
      ccminer.exe
      Remote address:
      8.8.8.8:53
      Request
      de.vipor.net
      IN A
      Response
      de.vipor.net
      IN CNAME
      de.vipordns.net
      de.vipordns.net
      IN A
      51.195.34.205
    • flag-us
      DNS
      205.34.195.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.34.195.51.in-addr.arpa
      IN PTR
      Response
      205.34.195.51.in-addr.arpa
      IN PTR
      ip205 ip-51-195-34eu
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388130_1LUEK7XGBN2FMZI35&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239339388130_1LUEK7XGBN2FMZI35&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 838075
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6A1CB921DEB74D61A3AF5DAA5DCC459F Ref B: LON04EDGE0809 Ref C: 2024-07-21T16:39:19Z
      date: Sun, 21 Jul 2024 16:39:19 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 940465
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 03EA86178B504F38B86AD6B168E8CAB5 Ref B: LON04EDGE0809 Ref C: 2024-07-21T16:39:19Z
      date: Sun, 21 Jul 2024 16:39:19 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 646893
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 10DEF1F731284E40B83D73DF3F9FB0B1 Ref B: LON04EDGE0809 Ref C: 2024-07-21T16:39:19Z
      date: Sun, 21 Jul 2024 16:39:19 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388129_199HS4001G3EH5S78&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239339388129_199HS4001G3EH5S78&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 569199
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 131A92B973BE439482887CBCEAB031EA Ref B: LON04EDGE0809 Ref C: 2024-07-21T16:39:19Z
      date: Sun, 21 Jul 2024 16:39:19 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 771044
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 5A45366F78A84577AC5FF8FCEA7F53DF Ref B: LON04EDGE0809 Ref C: 2024-07-21T16:39:19Z
      date: Sun, 21 Jul 2024 16:39:19 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 563726
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 9C7D5ADC70924AC9894A8C83993B243B Ref B: LON04EDGE0809 Ref C: 2024-07-21T16:39:49Z
      date: Sun, 21 Jul 2024 16:39:49 GMT
    • flag-us
      DNS
      85.65.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      85.65.42.20.in-addr.arpa
      IN PTR
      Response
    • 13.107.21.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=
      tls, http2
      2.0kB
      9.3kB
      21
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7b432bc62f6c418487e45ff331f61049&localId=w:7644E81C-AD49-10CC-B943-5E44723BEB42&deviceId=6896204247012457&anid=

      HTTP Response

      204
    • 185.199.111.133:443
      https://raw.githubusercontent.com/MomboteQ/mining-scripts/main/verus/ccminer-win.zip
      tls, http
      powershell.exe
      37.0kB
      1.5MB
      674
      1064

      HTTP Request

      GET https://raw.githubusercontent.com/MomboteQ/mining-scripts/main/verus/ccminer-win.zip

      HTTP Response

      200
    • 51.195.34.205:5040
      de.vipor.net
      ccminer.exe
      365.1kB
      63.3kB
      556
      330
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.28.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      169.6kB
      4.5MB
      3262
      3254

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388130_1LUEK7XGBN2FMZI35&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317300970_1WZNZYNWWAF6IP05J&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388129_199HS4001G3EH5S78&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301403_18A51FWD0ORQI7TWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      8.3kB
      16
      14
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
      6.9kB
      16
      13
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      13.107.21.237
      204.79.197.237

    • 8.8.8.8:53
      183.142.211.20.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      183.142.211.20.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      20.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      20.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      raw.githubusercontent.com
      dns
      powershell.exe
      71 B
      135 B
      1
      1

      DNS Request

      raw.githubusercontent.com

      DNS Response

      185.199.111.133
      185.199.110.133
      185.199.109.133
      185.199.108.133

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      237.21.107.13.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      237.21.107.13.in-addr.arpa

    • 8.8.8.8:53
      133.111.199.185.in-addr.arpa
      dns
      74 B
      118 B
      1
      1

      DNS Request

      133.111.199.185.in-addr.arpa

    • 8.8.8.8:53
      de.vipor.net
      dns
      ccminer.exe
      58 B
      100 B
      1
      1

      DNS Request

      de.vipor.net

      DNS Response

      51.195.34.205

    • 8.8.8.8:53
      205.34.195.51.in-addr.arpa
      dns
      72 B
      107 B
      1
      1

      DNS Request

      205.34.195.51.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      22.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      22.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      170 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      85.65.42.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      85.65.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0u5t2vn.32s.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe

      Filesize

      652KB

      MD5

      153e4364a395b282b983dfc2c5884105

      SHA1

      9147a6afa63bd7d7e451c693e362730c692781e1

      SHA256

      6a1077166de9d1cc6fceaf6da6f8c5e1c8d9d5f99f3ab845b9790fc6d395d896

      SHA512

      378fe8b9ae243d5844243999a909ab45216920d63149b39be521e5212533f0dc30e8620c6285738e1100618f44d1576b3ccd9aa27b0e65b29a3ca1937047173d

    • memory/4884-14-0x0000028EB4A20000-0x0000028EB4A44000-memory.dmp

      Filesize

      144KB

    • memory/4884-11-0x00007FF8EFC10000-0x00007FF8F06D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4884-12-0x00007FF8EFC10000-0x00007FF8F06D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4884-13-0x0000028EB4A20000-0x0000028EB4A4A000-memory.dmp

      Filesize

      168KB

    • memory/4884-0-0x00007FF8EFC13000-0x00007FF8EFC15000-memory.dmp

      Filesize

      8KB

    • memory/4884-15-0x00007FF8EFC10000-0x00007FF8F06D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4884-17-0x0000028EB4A60000-0x0000028EB4A72000-memory.dmp

      Filesize

      72KB

    • memory/4884-18-0x0000028EB4A50000-0x0000028EB4A5A000-memory.dmp

      Filesize

      40KB

    • memory/4884-1-0x0000028EB46B0000-0x0000028EB46D2000-memory.dmp

      Filesize

      136KB

    • memory/4884-33-0x00007FF8EFC13000-0x00007FF8EFC15000-memory.dmp

      Filesize

      8KB

    • memory/4884-34-0x00007FF8EFC10000-0x00007FF8F06D1000-memory.dmp

      Filesize

      10.8MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.