Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4ff314143f...ea.exe

windows7-x64

10

4ff314143f...ea.exe

windows10-2004-x64

10

Resubmissions

28/07/2024, 16:33 UTC

240728-t2rheswfqd 10

26/07/2024, 03:12 UTC

240726-dqpaxsshqq 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 16:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe

  • Size

    72KB

  • MD5

    fcb76d19b9003bd5522c6da0703175d5

  • SHA1

    99b5b69c4c3c6946162c1239ddbfa6e366cce3e3

  • SHA256

    4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea

  • SHA512

    dc08946159c732d367fa9a2f603eca3ec994eb37c962141bdf91bdd39f136998d560ba45ed307db4527386f85db4c002682d7b55b7a880d345ef613afd49fdce

  • SSDEEP

    1536:lNeRBl5PT/rx1mzwRMSTdLpJSVJaaw38x6S3hT3GCq2iW7z:lQRrmzwR5J7UthDGCH

Score
10/10
phobosaspackv2defense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (129) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\DaGvPt.exe
      C:\Users\Admin\AppData\Local\Temp\DaGvPt.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\419456aa.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1044
    • C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe"
      2⤵
        PID:388
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4136
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:952
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3868
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4316
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3460
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2444
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:3956
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3620
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4908
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2948
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:284
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4320

      Network

      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        ddos.dnsnb8.net
        DaGvPt.exe
        Remote address:
        8.8.8.8:53
        Request
        ddos.dnsnb8.net
        IN A
        Response
      • flag-us
        DNS
        ddos.dnsnb8.net
        DaGvPt.exe
        Remote address:
        8.8.8.8:53
        Request
        ddos.dnsnb8.net
        IN A
        Response
        ddos.dnsnb8.net
        IN A
        44.221.84.105
      • flag-us
        DNS
        ddos.dnsnb8.net
        DaGvPt.exe
        Remote address:
        8.8.8.8:53
        Request
        ddos.dnsnb8.net
        IN A
        Response
      • flag-us
        DNS
        ddos.dnsnb8.net
        DaGvPt.exe
        Remote address:
        8.8.8.8:53
        Request
        ddos.dnsnb8.net
        IN A
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=243E802B7A4C6AAE2E7994E17BAC6B52; domain=.bing.com; expires=Fri, 22-Aug-2025 16:34:15 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 21B7B20597684D4BB599B980B4C80414 Ref B: LON04EDGE1008 Ref C: 2024-07-28T16:34:14Z
        date: Sun, 28 Jul 2024 16:34:14 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=243E802B7A4C6AAE2E7994E17BAC6B52
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=-JhDOZb8a4ipHichizOFRvZlOuVvyC_XycXdL5QhcoM; domain=.bing.com; expires=Fri, 22-Aug-2025 16:34:15 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: A5B1EAC8887B44B187745CEC8531BAF7 Ref B: LON04EDGE1008 Ref C: 2024-07-28T16:34:15Z
        date: Sun, 28 Jul 2024 16:34:14 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=243E802B7A4C6AAE2E7994E17BAC6B52; MSPTC=-JhDOZb8a4ipHichizOFRvZlOuVvyC_XycXdL5QhcoM
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 9BF4DAC87A4B44B0BBCA71CA34188894 Ref B: LON04EDGE1008 Ref C: 2024-07-28T16:34:15Z
        date: Sun, 28 Jul 2024 16:34:15 GMT
      • flag-us
        DNS
        140.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        140.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        57.169.31.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        57.169.31.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        147.142.123.92.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        147.142.123.92.in-addr.arpa
        IN PTR
        Response
        147.142.123.92.in-addr.arpa
        IN PTR
        a92-123-142-147deploystaticakamaitechnologiescom
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        ax-0001.ax-msedge.net
        ax-0001.ax-msedge.net
        IN A
        150.171.27.10
        ax-0001.ax-msedge.net
        IN A
        150.171.28.10
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239339388125_1VMOONLDU1IFR4WEP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.27.10:443
        Request
        GET /th?id=OADD2.10239339388125_1VMOONLDU1IFR4WEP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 875278
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: F89C23794B0F4959AE49DBA011087DD1 Ref B: LON04EDGE0708 Ref C: 2024-07-28T16:34:56Z
        date: Sun, 28 Jul 2024 16:34:55 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239339388126_1L4W1T5VFYTHU9QO3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.27.10:443
        Request
        GET /th?id=OADD2.10239339388126_1L4W1T5VFYTHU9QO3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 753155
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 6917D5BB868B4A71A9EBCF25BDB2B98B Ref B: LON04EDGE0708 Ref C: 2024-07-28T16:34:56Z
        date: Sun, 28 Jul 2024 16:34:55 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.27.10:443
        Request
        GET /th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 581717
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: E5882EABEAD2477DB2067550375C086F Ref B: LON04EDGE0708 Ref C: 2024-07-28T16:34:56Z
        date: Sun, 28 Jul 2024 16:34:55 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.27.10:443
        Request
        GET /th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 700191
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 57C808386FDD40D59FEF72D2BEAC263E Ref B: LON04EDGE0708 Ref C: 2024-07-28T16:34:56Z
        date: Sun, 28 Jul 2024 16:34:55 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317300938_116Z84FUP3EYXI7L6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        150.171.27.10:443
        Request
        GET /th?id=OADD2.10239317300938_116Z84FUP3EYXI7L6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 669299
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: D52B77A639B547D09F0F08604AE87CD4 Ref B: LON04EDGE0708 Ref C: 2024-07-28T16:34:56Z
        date: Sun, 28 Jul 2024 16:34:55 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239317301371_18ZL52TJ0W1845BME&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        150.171.27.10:443
        Request
        GET /th?id=OADD2.10239317301371_18ZL52TJ0W1845BME&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 831116
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 337C61F7B13D42B18B738B48723FD303 Ref B: LON04EDGE0708 Ref C: 2024-07-28T16:35:01Z
        date: Sun, 28 Jul 2024 16:35:00 GMT
      • flag-us
        DNS
        10.27.171.150.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        10.27.171.150.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=
        tls, http2
        2.3kB
         9.3kB
         22
        18

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=7e89ef878a544907beaa0e5cce0f4a77&localId=w:5E455798-4EFE-C2ED-DBE1-D53A409DAB3B&deviceId=6755471838261800&anid=

        HTTP Response

        204
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         6.9kB
         15
        13
      • 150.171.27.10:443
        https://tse1.mm.bing.net/th?id=OADD2.10239317301371_18ZL52TJ0W1845BME&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        tls, http2
        156.3kB
         4.6MB
         3316
        3310

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239339388125_1VMOONLDU1IFR4WEP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239339388126_1L4W1T5VFYTHU9QO3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317300938_116Z84FUP3EYXI7L6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Response

        200

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301371_18ZL52TJ0W1845BME&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Response

        200
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         6.9kB
         15
        13
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         6.9kB
         15
        13
      • 150.171.27.10:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         6.9kB
         15
        13
      • 8.8.8.8:53
        232.168.11.51.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        232.168.11.51.in-addr.arpa

      • 8.8.8.8:53
        ddos.dnsnb8.net
        dns
        DaGvPt.exe
        244 B
         260 B
         4
        4

        DNS Request

        ddos.dnsnb8.net

        DNS Request

        ddos.dnsnb8.net

        DNS Request

        ddos.dnsnb8.net

        DNS Request

        ddos.dnsnb8.net

        DNS Response

        44.221.84.105

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         151 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        140.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        140.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
         143 B
         1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        57.169.31.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        57.169.31.20.in-addr.arpa

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        147.142.123.92.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        147.142.123.92.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
         170 B
         1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        150.171.27.10
        150.171.28.10

      • 8.8.8.8:53
        10.27.171.150.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        10.27.171.150.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      4
      T1012

      System Information Discovery

      4
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        544KB

        MD5

        26f7a83fcf6b31b786c91895d1bdf46e

        SHA1

        ee774dde283164e3728f154a218de091f87d161f

        SHA256

        3701a7e99b37d6738cf1406569b5b3a7aef28ef55ad7def4191ba57835d502d6

        SHA512

        ffdf7aced2f86ca568eb13c1b44458b5336aefe5c8517c86d3171766f7694f7a6ba112a6ee3511eb50712b9f954d1c3de12e3e68259174efa8ad41f8d55c5991

        Download Submit

      • C:\Program Files\7-Zip\Uninstall.exe
        Filesize

        31KB

        MD5

        50615dd05bb46aafc9490a7c48391314

        SHA1

        d955e44ff63fda3f9b18f19aa72cbba43a5d8e44

        SHA256

        4fa7abf3016b4fce22b2ef413654a5ef60fd6a75cce4b6e7aeedf3cf46dde806

        SHA512

        db29f2204faeac580799cbd65346d83a7c74d5b7239dcd761287324f8aae27cafe7b7b19ab0a2d94580d34a74278faaab141a07e620699be4b96da36c8bd6e11

        Download Submit

      • C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md
        Filesize

        2KB

        MD5

        ddc4cb14453391bcb5f4d645b2916a6c

        SHA1

        c4738d174c90c285e17bf51a9218256f45f96ea7

        SHA256

        0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb

        SHA512

        34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

        Download Submit

      • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
        Filesize

        190B

        MD5

        c5b7a97bda04c48435a145f2d1f9bb42

        SHA1

        bd94219a79987af3e4d4ce45b07edc2230aaf655

        SHA256

        07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0

        SHA512

        7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

        Download Submit

      • C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif
        Filesize

        153B

        MD5

        d13b5ffdeb538f15ee1d30f2788601d5

        SHA1

        8dc4da8e4efca07472b08b618bc059dcbfd03efa

        SHA256

        f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

        SHA512

        58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

        Download Submit

      • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
        Filesize

        744B

        MD5

        809457c05fe696f5d34ac5ac8768cdd4

        SHA1

        a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9

        SHA256

        1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be

        SHA512

        cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

        Download Submit

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea.exe
        Filesize

        72KB

        MD5

        fcb76d19b9003bd5522c6da0703175d5

        SHA1

        99b5b69c4c3c6946162c1239ddbfa6e366cce3e3

        SHA256

        4ff314143f6fea359946a81034ec04a4f515998fc23c6937bc5d032b02f01bea

        SHA512

        dc08946159c732d367fa9a2f603eca3ec994eb37c962141bdf91bdd39f136998d560ba45ed307db4527386f85db4c002682d7b55b7a880d345ef613afd49fdce

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
        Filesize

        24B

        MD5

        1681ffc6e046c7af98c9e6c232a3fe0a

        SHA1

        d3399b7262fb56cb9ed053d68db9291c410839c4

        SHA256

        9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

        SHA512

        11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\419456aa.bat
        Filesize

        187B

        MD5

        5c0e77edb62ad93a40853e81a166a9a0

        SHA1

        4b24dd74d7e7d287c0fe8f0ad2551593a1984505

        SHA256

        400ab5aee17ce6aaf6c028fac83007795bf843464eae21b969a816a73cb2a345

        SHA512

        85736e5a5b032da1e85dfef623be6b25dd0e4a93d6e13effbc2fcf6fa05c866c746c40cdcc1b68c7fb163b6bf65bbe89c2225688862b0a58d1d3ef1c7e4bb696

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DaGvPt.exe
        Filesize

        15KB

        MD5

        f7d21de5c4e81341eccd280c11ddcc9a

        SHA1

        d4e9ef10d7685d491583c6fa93ae5d9105d815bd

        SHA256

        4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

        SHA512

        e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

        Download Submit

      • memory/388-7-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1828-1617-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1828-0-0x0000000000E90000-0x0000000000EA8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4236-160-0x0000000000D40000-0x0000000000D49000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4236-5-0x0000000000D40000-0x0000000000D49000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4320-6666-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6706-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6705-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6704-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6703-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6702-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6707-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6708-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6665-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4320-6664-0x00000243D3920000-0x00000243D3921000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.