Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 01:23 UTC
Behavioral task
behavioral1
Sample
Server.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Server.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Server.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
Server.exe
Resource
win11-20241007-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
2ef7aed002ffeb3bb11459e44c8985b4
-
SHA1
3e4962d44fe8f156883af03bf3deeac2843c73f6
-
SHA256
3f8718b194105edc9f367fa1a4155c48fa20526c08acce53ae8456a42355d45b
-
SHA512
bd100c451a343966dd68550b4aee49271a2452dee399570b7397e7deb17694839bcfe5812d5aa11498337dc1ce4e8fb43d89a95417d424a04f913c30207d45d0
-
SSDEEP
384:tqETgiG1CPZfursvO6yszi7oPJoTnuTarAF+rMRTyN/0L+EcoinblneHQM3epzX0:sE/5Wpszi7o2TuWrM+rMRa8Nux4t
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1924 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19f90553c0dfe2ce6a1dc4098a6125bc.exe Steam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19f90553c0dfe2ce6a1dc4098a6125bc.exe Steam.exe -
Executes dropped EXE 1 IoCs
pid Process 1128 Steam.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19f90553c0dfe2ce6a1dc4098a6125bc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Steam.exe\" .." Steam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\19f90553c0dfe2ce6a1dc4098a6125bc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Steam.exe\" .." Steam.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf Steam.exe File created D:\autorun.inf Steam.exe File created F:\autorun.inf Steam.exe File opened for modification F:\autorun.inf Steam.exe File created C:\autorun.inf Steam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Steam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
pid Process 3504 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe 1128 Steam.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1128 Steam.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1128 Steam.exe Token: SeDebugPrivilege 3504 taskkill.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe Token: 33 1128 Steam.exe Token: SeIncBasePriorityPrivilege 1128 Steam.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1128 2020 Server.exe 90 PID 2020 wrote to memory of 1128 2020 Server.exe 90 PID 2020 wrote to memory of 1128 2020 Server.exe 90 PID 1128 wrote to memory of 1924 1128 Steam.exe 94 PID 1128 wrote to memory of 1924 1128 Steam.exe 94 PID 1128 wrote to memory of 1924 1128 Steam.exe 94 PID 1128 wrote to memory of 3504 1128 Steam.exe 96 PID 1128 wrote to memory of 3504 1128 Steam.exe 96 PID 1128 wrote to memory of 3504 1128 Steam.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\Steam.exe"C:\Users\Admin\AppData\Roaming\Steam.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Steam.exe" "Steam.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=16893DDFD19C6213072828F6D09A6386; domain=.bing.com; expires=Tue, 25-Nov-2025 01:24:31 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 28284DE862B845F6AF1A55C46D105DE4 Ref B: LON601060108029 Ref C: 2024-10-31T01:24:31Z
date: Thu, 31 Oct 2024 01:24:31 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=16893DDFD19C6213072828F6D09A6386
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=fBTnXXcvQhNbZCVXi8sJoUp6gvCWbiNqeaHA45_P0z8; domain=.bing.com; expires=Tue, 25-Nov-2025 01:24:31 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 621AEAA7B58B41AA9E29EA9B58FC59D1 Ref B: LON601060108029 Ref C: 2024-10-31T01:24:31Z
date: Thu, 31 Oct 2024 01:24:31 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=16893DDFD19C6213072828F6D09A6386; MSPTC=fBTnXXcvQhNbZCVXi8sJoUp6gvCWbiNqeaHA45_P0z8
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 460CC01725B54255AB402BC09565BDFA Ref B: LON601060108029 Ref C: 2024-10-31T01:24:32Z
date: Thu, 31 Oct 2024 01:24:31 GMT
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request210.108.222.173.in-addr.arpaIN PTRResponse210.108.222.173.in-addr.arpaIN PTRa173-222-108-210deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request210.108.222.173.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request101.11.19.2.in-addr.arpaIN PTRResponse101.11.19.2.in-addr.arpaIN PTRa2-19-11-101deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request101.11.19.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 633835
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 35A22D0796814AAB8776D2D6A6559752 Ref B: LON601060102060 Ref C: 2024-10-31T01:26:09Z
date: Thu, 31 Oct 2024 01:26:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388232_1HX9ZS0B9YGLAEN2M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388232_1HX9ZS0B9YGLAEN2M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 1065063
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FA76F26A85D9423B9530248A4990FA00 Ref B: LON601060102060 Ref C: 2024-10-31T01:26:09Z
date: Thu, 31 Oct 2024 01:26:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 632525
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 98556253AAEE43E095ABC86F8C42DF92 Ref B: LON601060102060 Ref C: 2024-10-31T01:26:09Z
date: Thu, 31 Oct 2024 01:26:08 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388233_1ZV389LGZ415PJ5PE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388233_1ZV389LGZ415PJ5PE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 1343140
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F6B9F5EB3A5A43C187B8D3BD8CDAE877 Ref B: LON601060102060 Ref C: 2024-10-31T01:26:09Z
date: Thu, 31 Oct 2024 01:26:08 GMT
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request85.65.42.20.in-addr.arpaIN PTRResponse
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=tls, http22.7kB 11.7kB 27 22
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c8e23a3ce5bb445cbcf5908f59f7b369&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=HTTP Response
204 -
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239339388233_1ZV389LGZ415PJ5PE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2130.4kB 3.8MB 2765 2760
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388232_1HX9ZS0B9YGLAEN2M&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388233_1ZV389LGZ415PJ5PE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
112 B 148 B 2 1
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
148 B 141 B 2 1
DNS Request
210.108.222.173.in-addr.arpa
DNS Request
210.108.222.173.in-addr.arpa
-
219 B 147 B 3 1
DNS Request
104.219.191.52.in-addr.arpa
DNS Request
104.219.191.52.in-addr.arpa
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
140 B 133 B 2 1
DNS Request
101.11.19.2.in-addr.arpa
DNS Request
101.11.19.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
85.65.42.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD52ef7aed002ffeb3bb11459e44c8985b4
SHA13e4962d44fe8f156883af03bf3deeac2843c73f6
SHA2563f8718b194105edc9f367fa1a4155c48fa20526c08acce53ae8456a42355d45b
SHA512bd100c451a343966dd68550b4aee49271a2452dee399570b7397e7deb17694839bcfe5812d5aa11498337dc1ce4e8fb43d89a95417d424a04f913c30207d45d0