Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e7e4f9b338...0N.dll

windows7-x64

10

e7e4f9b338...0N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2024, 17:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7e4f9b338f634e9818ab8ccb1a12e30N.dll

  • Size

    120KB

  • MD5

    e7e4f9b338f634e9818ab8ccb1a12e30

  • SHA1

    e6e0402f372aca08e7fa6552c3e4bebad361f161

  • SHA256

    5b2867a6400555f776c50def66004cf71857d35cb3b4d0371f20c2898ba6c68a

  • SHA512

    6c4225af7beca3fccb3ec90a6d179836517c8c438c6bae977fb6069d86892b963247db279ef25d7cd32e9d483c3f8ca76d8a79dfcfbc892df3ba84ad44413635

  • SSDEEP

    3072:pd34at33rkhErWdQXyTyEdQ5RDaO1PHPUzB:Doa17eEi5wlHPO

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:788
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:796
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:380
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2552
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2616
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:3064
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3492
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7e4f9b338f634e9818ab8ccb1a12e30N.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4072
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7e4f9b338f634e9818ab8ccb1a12e30N.dll,#1
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:3268
                      • C:\Users\Admin\AppData\Local\Temp\e57a095.exe
                        C:\Users\Admin\AppData\Local\Temp\e57a095.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:5092
                      • C:\Users\Admin\AppData\Local\Temp\e57a325.exe
                        C:\Users\Admin\AppData\Local\Temp\e57a325.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:4168
                      • C:\Users\Admin\AppData\Local\Temp\e57bbfd.exe
                        C:\Users\Admin\AppData\Local\Temp\e57bbfd.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2108
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3680
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3852
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3944
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4008
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:1064
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:2340
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:1048
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:628
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                  1⤵
                                    PID:3464
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:4140
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:1860
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        1⤵
                                          PID:5028

                                        Network

                                        • flag-us
                                          DNS
                                          g.bing.com
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          g.bing.com
                                          IN A
                                          Response
                                          g.bing.com
                                          IN CNAME
                                          g-bing-com.dual-a-0034.a-msedge.net
                                          g-bing-com.dual-a-0034.a-msedge.net
                                          IN CNAME
                                          dual-a-0034.a-msedge.net
                                          dual-a-0034.a-msedge.net
                                          IN A
                                          13.107.21.237
                                          dual-a-0034.a-msedge.net
                                          IN A
                                          204.79.197.237
                                        • flag-us
                                          GET
                                          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
                                          backgroundTaskHost.exe
                                          Remote address:
                                          13.107.21.237:443
                                          Request
                                          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
                                          host: g.bing.com
                                          accept-encoding: gzip, deflate
                                          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                                          Response
                                          HTTP/2.0 204
                                          cache-control: no-cache, must-revalidate
                                          pragma: no-cache
                                          expires: Fri, 01 Jan 1990 00:00:00 GMT
                                          set-cookie: MUID=368F07C322586C4F31DF1319237F6D7D; domain=.bing.com; expires=Sun, 07-Sep-2025 17:56:33 GMT; path=/; SameSite=None; Secure; Priority=High;
                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                          access-control-allow-origin: *
                                          x-cache: CONFIG_NOCACHE
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: 527FC0AC67BD406BB8C64431E4E87261 Ref B: LON04EDGE0712 Ref C: 2024-08-13T17:56:33Z
                                          date: Tue, 13 Aug 2024 17:56:32 GMT
                                        • flag-us
                                          GET
                                          https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
                                          backgroundTaskHost.exe
                                          Remote address:
                                          13.107.21.237:443
                                          Request
                                          GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
                                          host: g.bing.com
                                          accept-encoding: gzip, deflate
                                          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                                          cookie: MUID=368F07C322586C4F31DF1319237F6D7D
                                          Response
                                          HTTP/2.0 204
                                          cache-control: no-cache, must-revalidate
                                          pragma: no-cache
                                          expires: Fri, 01 Jan 1990 00:00:00 GMT
                                          set-cookie: MSPTC=f9AeLTE4UZhiiLpIN4ZY9wV_VTjMx2BNE5q3kEXrWOU; domain=.bing.com; expires=Sun, 07-Sep-2025 17:56:33 GMT; path=/; Partitioned; secure; SameSite=None
                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                          access-control-allow-origin: *
                                          x-cache: CONFIG_NOCACHE
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: 42D58B1D8F0D46609C6B2A61B73EACC8 Ref B: LON04EDGE0712 Ref C: 2024-08-13T17:56:33Z
                                          date: Tue, 13 Aug 2024 17:56:32 GMT
                                        • flag-us
                                          GET
                                          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
                                          backgroundTaskHost.exe
                                          Remote address:
                                          13.107.21.237:443
                                          Request
                                          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
                                          host: g.bing.com
                                          accept-encoding: gzip, deflate
                                          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                                          cookie: MUID=368F07C322586C4F31DF1319237F6D7D; MSPTC=f9AeLTE4UZhiiLpIN4ZY9wV_VTjMx2BNE5q3kEXrWOU
                                          Response
                                          HTTP/2.0 204
                                          cache-control: no-cache, must-revalidate
                                          pragma: no-cache
                                          expires: Fri, 01 Jan 1990 00:00:00 GMT
                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                          access-control-allow-origin: *
                                          x-cache: CONFIG_NOCACHE
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: 1E758085424842848726735AD9A08796 Ref B: LON04EDGE0712 Ref C: 2024-08-13T17:56:33Z
                                          date: Tue, 13 Aug 2024 17:56:32 GMT
                                        • flag-us
                                          DNS
                                          75.159.190.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          75.159.190.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          237.21.107.13.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          237.21.107.13.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          240.143.123.92.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          240.143.123.92.in-addr.arpa
                                          IN PTR
                                          Response
                                          240.143.123.92.in-addr.arpa
                                          IN PTR
                                          a92-123-143-240deploystaticakamaitechnologiescom
                                        • flag-us
                                          DNS
                                          95.221.229.192.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          95.221.229.192.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          154.239.44.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          154.239.44.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          55.36.223.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          55.36.223.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          28.118.140.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          28.118.140.52.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          26.165.165.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          26.165.165.52.in-addr.arpa
                                          IN PTR
                                        • flag-us
                                          DNS
                                          26.165.165.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          26.165.165.52.in-addr.arpa
                                          IN PTR
                                        • flag-us
                                          DNS
                                          26.165.165.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          26.165.165.52.in-addr.arpa
                                          IN PTR
                                        • flag-us
                                          DNS
                                          26.165.165.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          26.165.165.52.in-addr.arpa
                                          IN PTR
                                        • flag-us
                                          DNS
                                          26.165.165.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          26.165.165.52.in-addr.arpa
                                          IN PTR
                                        • flag-us
                                          DNS
                                          28.118.140.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          28.118.140.52.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          240.221.184.93.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          240.221.184.93.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          240.221.184.93.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          240.221.184.93.in-addr.arpa
                                          IN PTR
                                        • flag-us
                                          DNS
                                          240.221.184.93.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          240.221.184.93.in-addr.arpa
                                          IN PTR
                                        • flag-us
                                          DNS
                                          tse1.mm.bing.net
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          tse1.mm.bing.net
                                          IN A
                                          Response
                                          tse1.mm.bing.net
                                          IN CNAME
                                          mm-mm.bing.net.trafficmanager.net
                                          mm-mm.bing.net.trafficmanager.net
                                          IN CNAME
                                          ax-0001.ax-msedge.net
                                          ax-0001.ax-msedge.net
                                          IN A
                                          150.171.28.10
                                          ax-0001.ax-msedge.net
                                          IN A
                                          150.171.27.10
                                        • flag-us
                                          GET
                                          https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                                          Remote address:
                                          150.171.28.10:443
                                          Request
                                          GET /th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                                          host: tse1.mm.bing.net
                                          accept: */*
                                          accept-encoding: gzip, deflate, br
                                          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                          Response
                                          HTTP/2.0 200
                                          cache-control: public, max-age=2592000
                                          content-length: 622808
                                          content-type: image/jpeg
                                          x-cache: TCP_HIT
                                          access-control-allow-origin: *
                                          access-control-allow-headers: *
                                          access-control-allow-methods: GET, POST, OPTIONS
                                          timing-allow-origin: *
                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: 350C96F12B7C40F19F61FC3BBBEC0483 Ref B: LON04EDGE1221 Ref C: 2024-08-13T17:58:23Z
                                          date: Tue, 13 Aug 2024 17:58:22 GMT
                                        • flag-us
                                          GET
                                          https://tse1.mm.bing.net/th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                                          Remote address:
                                          150.171.28.10:443
                                          Request
                                          GET /th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                                          host: tse1.mm.bing.net
                                          accept: */*
                                          accept-encoding: gzip, deflate, br
                                          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                          Response
                                          HTTP/2.0 200
                                          cache-control: public, max-age=2592000
                                          content-length: 695371
                                          content-type: image/jpeg
                                          x-cache: TCP_HIT
                                          access-control-allow-origin: *
                                          access-control-allow-headers: *
                                          access-control-allow-methods: GET, POST, OPTIONS
                                          timing-allow-origin: *
                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: E39AD8B69E0448C8B0DE07D13B090F92 Ref B: LON04EDGE1221 Ref C: 2024-08-13T17:58:23Z
                                          date: Tue, 13 Aug 2024 17:58:22 GMT
                                        • flag-us
                                          GET
                                          https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                                          Remote address:
                                          150.171.28.10:443
                                          Request
                                          GET /th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                                          host: tse1.mm.bing.net
                                          accept: */*
                                          accept-encoding: gzip, deflate, br
                                          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                          Response
                                          HTTP/2.0 200
                                          cache-control: public, max-age=2592000
                                          content-length: 747785
                                          content-type: image/jpeg
                                          x-cache: TCP_HIT
                                          access-control-allow-origin: *
                                          access-control-allow-headers: *
                                          access-control-allow-methods: GET, POST, OPTIONS
                                          timing-allow-origin: *
                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: 317CA7E1622F44868FBEEE98F1FAD0D9 Ref B: LON04EDGE1221 Ref C: 2024-08-13T17:58:23Z
                                          date: Tue, 13 Aug 2024 17:58:22 GMT
                                        • flag-us
                                          GET
                                          https://tse1.mm.bing.net/th?id=OADD2.10239340418535_1J3FI1BHYFKNLDX7C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                                          Remote address:
                                          150.171.28.10:443
                                          Request
                                          GET /th?id=OADD2.10239340418535_1J3FI1BHYFKNLDX7C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                                          host: tse1.mm.bing.net
                                          accept: */*
                                          accept-encoding: gzip, deflate, br
                                          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                          Response
                                          HTTP/2.0 200
                                          cache-control: public, max-age=2592000
                                          content-length: 248362
                                          content-type: image/jpeg
                                          x-cache: TCP_HIT
                                          access-control-allow-origin: *
                                          access-control-allow-headers: *
                                          access-control-allow-methods: GET, POST, OPTIONS
                                          timing-allow-origin: *
                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: D7A5FC09920141B2A54F9FDC9DC6BDAA Ref B: LON04EDGE1221 Ref C: 2024-08-13T17:58:23Z
                                          date: Tue, 13 Aug 2024 17:58:22 GMT
                                        • flag-us
                                          GET
                                          https://tse1.mm.bing.net/th?id=OADD2.10239340418536_1RXQC5FWNJZBHVB3M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                                          Remote address:
                                          150.171.28.10:443
                                          Request
                                          GET /th?id=OADD2.10239340418536_1RXQC5FWNJZBHVB3M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                                          host: tse1.mm.bing.net
                                          accept: */*
                                          accept-encoding: gzip, deflate, br
                                          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                          Response
                                          HTTP/2.0 200
                                          cache-control: public, max-age=2592000
                                          content-length: 383560
                                          content-type: image/jpeg
                                          x-cache: TCP_HIT
                                          access-control-allow-origin: *
                                          access-control-allow-headers: *
                                          access-control-allow-methods: GET, POST, OPTIONS
                                          timing-allow-origin: *
                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: 73C8D0B7038D4C3A952DA23B51BDCB23 Ref B: LON04EDGE1221 Ref C: 2024-08-13T17:58:23Z
                                          date: Tue, 13 Aug 2024 17:58:23 GMT
                                        • flag-us
                                          GET
                                          https://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                                          Remote address:
                                          150.171.28.10:443
                                          Request
                                          GET /th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                                          host: tse1.mm.bing.net
                                          accept: */*
                                          accept-encoding: gzip, deflate, br
                                          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                          Response
                                          HTTP/2.0 200
                                          cache-control: public, max-age=2592000
                                          content-length: 625518
                                          content-type: image/jpeg
                                          x-cache: TCP_HIT
                                          access-control-allow-origin: *
                                          access-control-allow-headers: *
                                          access-control-allow-methods: GET, POST, OPTIONS
                                          timing-allow-origin: *
                                          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                          x-msedge-ref: Ref A: 662E3460B65B4BF98B4B0892632218CA Ref B: LON04EDGE1221 Ref C: 2024-08-13T17:58:24Z
                                          date: Tue, 13 Aug 2024 17:58:23 GMT
                                        • flag-us
                                          DNS
                                          19.229.111.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          19.229.111.52.in-addr.arpa
                                          IN PTR
                                          Response
                                        • 13.107.21.237:443
                                          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
                                          tls, http2
                                          backgroundTaskHost.exe
                                          2.0kB
                                           9.3kB
                                           22
                                          18

                                          HTTP Request

                                          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

                                          HTTP Response

                                          204

                                          HTTP Request

                                          GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

                                          HTTP Response

                                          204

                                          HTTP Request

                                          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ed415eac34ad4411b17e033ab2ae5c7a&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

                                          HTTP Response

                                          204
                                        • 52.111.243.31:443
                                          322 B
                                           7
                                        • 150.171.28.10:443
                                          tse1.mm.bing.net
                                          tls, http2
                                          1.2kB
                                           6.9kB
                                           16
                                          13
                                        • 150.171.28.10:443
                                          tse1.mm.bing.net
                                          tls, http2
                                          1.2kB
                                           6.9kB
                                           16
                                          14
                                        • 150.171.28.10:443
                                          tse1.mm.bing.net
                                          tls, http2
                                          1.2kB
                                           7.7kB
                                           16
                                          12
                                        • 150.171.28.10:443
                                          https://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                                          tls, http2
                                          119.8kB
                                           3.4MB
                                           2511
                                          2502

                                          HTTP Request

                                          GET https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                                          HTTP Request

                                          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                                          HTTP Request

                                          GET https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                                          HTTP Request

                                          GET https://tse1.mm.bing.net/th?id=OADD2.10239340418535_1J3FI1BHYFKNLDX7C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                                          HTTP Response

                                          200

                                          HTTP Response

                                          200

                                          HTTP Response

                                          200

                                          HTTP Request

                                          GET https://tse1.mm.bing.net/th?id=OADD2.10239340418536_1RXQC5FWNJZBHVB3M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                                          HTTP Response

                                          200

                                          HTTP Request

                                          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                                          HTTP Response

                                          200

                                          HTTP Response

                                          200
                                        • 150.171.28.10:443
                                          tse1.mm.bing.net
                                          tls, http2
                                          1.6kB
                                           7.3kB
                                           18
                                          13
                                        • 8.8.8.8:53
                                          g.bing.com
                                          dns
                                          56 B
                                           151 B
                                           1
                                          1

                                          DNS Request

                                          g.bing.com

                                          DNS Response

                                          13.107.21.237
                                          204.79.197.237

                                        • 8.8.8.8:53
                                          75.159.190.20.in-addr.arpa
                                          dns
                                          72 B
                                           158 B
                                           1
                                          1

                                          DNS Request

                                          75.159.190.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          237.21.107.13.in-addr.arpa
                                          dns
                                          72 B
                                           158 B
                                           1
                                          1

                                          DNS Request

                                          237.21.107.13.in-addr.arpa

                                        • 8.8.8.8:53
                                          240.143.123.92.in-addr.arpa
                                          dns
                                          73 B
                                           139 B
                                           1
                                          1

                                          DNS Request

                                          240.143.123.92.in-addr.arpa

                                        • 8.8.8.8:53
                                          95.221.229.192.in-addr.arpa
                                          dns
                                          73 B
                                           144 B
                                           1
                                          1

                                          DNS Request

                                          95.221.229.192.in-addr.arpa

                                        • 8.8.8.8:53
                                          154.239.44.20.in-addr.arpa
                                          dns
                                          72 B
                                           158 B
                                           1
                                          1

                                          DNS Request

                                          154.239.44.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          55.36.223.20.in-addr.arpa
                                          dns
                                          71 B
                                           157 B
                                           1
                                          1

                                          DNS Request

                                          55.36.223.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          28.118.140.52.in-addr.arpa
                                          dns
                                          72 B
                                           158 B
                                           1
                                          1

                                          DNS Request

                                          28.118.140.52.in-addr.arpa

                                        • 8.8.8.8:53
                                          26.165.165.52.in-addr.arpa
                                          dns
                                          360 B
                                           5

                                          DNS Request

                                          26.165.165.52.in-addr.arpa

                                          DNS Request

                                          26.165.165.52.in-addr.arpa

                                          DNS Request

                                          26.165.165.52.in-addr.arpa

                                          DNS Request

                                          26.165.165.52.in-addr.arpa

                                          DNS Request

                                          26.165.165.52.in-addr.arpa

                                        • 8.8.8.8:53
                                          28.118.140.52.in-addr.arpa
                                          dns
                                          72 B
                                           158 B
                                           1
                                          1

                                          DNS Request

                                          28.118.140.52.in-addr.arpa

                                        • 8.8.8.8:53
                                          240.221.184.93.in-addr.arpa
                                          dns
                                          219 B
                                           144 B
                                           3
                                          1

                                          DNS Request

                                          240.221.184.93.in-addr.arpa

                                          DNS Request

                                          240.221.184.93.in-addr.arpa

                                          DNS Request

                                          240.221.184.93.in-addr.arpa

                                        • 8.8.8.8:53
                                          tse1.mm.bing.net
                                          dns
                                          62 B
                                           170 B
                                           1
                                          1

                                          DNS Request

                                          tse1.mm.bing.net

                                          DNS Response

                                          150.171.28.10
                                          150.171.27.10

                                        • 8.8.8.8:53
                                          19.229.111.52.in-addr.arpa
                                          dns
                                          72 B
                                           158 B
                                           1
                                          1

                                          DNS Request

                                          19.229.111.52.in-addr.arpa

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\e57a095.exe
                                          Filesize

                                          97KB

                                          MD5

                                          28a1c2fd7cf3b73f89d6a33e08bcbc41

                                          SHA1

                                          f00d3e202579d968db87b8c754fac64d669942db

                                          SHA256

                                          fe0ce40c103e736bdeb2557789fa61d86c25030155908b5cc4c62a78294d19d1

                                          SHA512

                                          7cd559a2afe4b611f7a424438f4137aa99a065c21c71dd2d74da700c8c6fe5c628dc9edee408dbfa1e0e3faf5a2435ec643f441598faa65b1b51deb3eb5af0bb

                                          Download Submit

                                        • C:\Windows\SYSTEM.INI
                                          Filesize

                                          257B

                                          MD5

                                          1f93292d851b0bc5c96db58a6ef3dd6e

                                          SHA1

                                          b00109579150a3f60a51b238dd26715fee250ec3

                                          SHA256

                                          fc3e015072b428018c59aa397f751b7d82a6e203d214679b55f6b4b8009a9910

                                          SHA512

                                          570faea476dba7297598ddfe1d51473898580955c0444a577592a9f760281a5ce695eb929ce447860bff82c38055466af5def4252179217ca7963c1d41636a40

                                          Download Submit

                                        • memory/2108-101-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/2108-52-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2108-50-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2108-49-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2108-44-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/3268-23-0x0000000002DC0000-0x0000000002DC2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/3268-1-0x0000000010000000-0x0000000010020000-memory.dmp

                                          Filesize

                                          128KB

                                          Download

                                        • memory/3268-31-0x0000000002DC0000-0x0000000002DC2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/3268-33-0x0000000002DC0000-0x0000000002DC2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/3268-28-0x00000000030C0000-0x00000000030C1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/4168-75-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-76-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-97-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/4168-74-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-73-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-68-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-70-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-71-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-72-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-78-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-47-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/4168-46-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/4168-84-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-36-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/4168-51-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/4168-85-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/4168-94-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/4168-77-0x0000000000BA0000-0x0000000001C5A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-29-0x00000000019F0000-0x00000000019F2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/5092-67-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/5092-54-0x00000000019F0000-0x00000000019F2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/5092-10-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-53-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-26-0x0000000004370000-0x0000000004371000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/5092-32-0x00000000019F0000-0x00000000019F2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/5092-22-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-8-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-11-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-16-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-12-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-13-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-15-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-9-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-14-0x00000000007A0000-0x000000000185A000-memory.dmp

                                          Filesize

                                          16.7MB

                                          Download

                                        • memory/5092-5-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        We care about your privacy.

                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.