Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10is155016.exe
windows7-x64
3is155016.exe
windows10-2004-x64
3setup_akl.exe
windows7-x64
10setup_akl.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3AKV.exe
windows7-x64
3AKV.exe
windows10-2004-x64
3HTV.dll
windows7-x64
3HTV.dll
windows10-2004-x64
3HTV.exe
windows7-x64
6HTV.exe
windows10-2004-x64
6HTV.dll
windows7-x64
3HTV.dll
windows10-2004-x64
3HTV.dll
windows7-x64
3HTV.dll
windows10-2004-x64
3HTV.chm
windows7-x64
1HTV.chm
windows10-2004-x64
1HTV.exe
windows7-x64
6HTV.exe
windows10-2004-x64
6Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7qs.html
windows7-x64
3qs.html
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 12:53 UTC
Behavioral task
behavioral1
Sample
is155016.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
is155016.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
setup_akl.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
setup_akl.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral7
Sample
AKV.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
AKV.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral9
Sample
HTV.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
HTV.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral11
Sample
HTV.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
HTV.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral13
Sample
HTV.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
HTV.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral15
Sample
HTV.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
HTV.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
HTV.chm
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
HTV.chm
Resource
win10v2004-20250129-en
Behavioral task
behavioral19
Sample
HTV.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
HTV.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral21
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Uninstall.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral23
Sample
qs.html
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
qs.html
Resource
win10v2004-20250129-en
General
-
Target
$PLUGINSDIR/InstallOptions.dll
-
Size
14KB
-
MD5
296a5f3179fa8d7a7a855eaf696ede44
-
SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63
-
SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960
-
SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6
-
SSDEEP
192:r6JaVGQ+xI5EeuyvMmGpeWH2J5xprN+AxTyK72dwF7dBdcQOz:r6JaVh4I5rpPbTy+BdhO
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3496 2044 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2044 2896 rundll32.exe 83 PID 2896 wrote to memory of 2044 2896 rundll32.exe 83 PID 2896 wrote to memory of 2044 2896 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 6363⤵
- Program crash
PID:3496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 20441⤵PID:3684
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E; domain=.bing.com; expires=Fri, 27-Feb-2026 12:53:58 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 234748B4CD704CEDBDC50A44CA39E20A Ref B: LON04EDGE1013 Ref C: 2025-02-02T12:53:58Z
date: Sun, 02 Feb 2025 12:53:57 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=aJaie_EFcGOAoj36PPli6Aii-62AmFp3rUzuKccXYtk; domain=.bing.com; expires=Fri, 27-Feb-2026 12:53:58 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E37032CF3F034D5E8C7F3454A08EA761 Ref B: LON04EDGE1013 Ref C: 2025-02-02T12:53:58Z
date: Sun, 02 Feb 2025 12:53:57 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E; MSPTC=aJaie_EFcGOAoj36PPli6Aii-62AmFp3rUzuKccXYtk
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 640B1F9444084FCFA4889A26F8CCDE2C Ref B: LON04EDGE1013 Ref C: 2025-02-02T12:53:58Z
date: Sun, 02 Feb 2025 12:53:57 GMT
-
Remote address:8.8.8.8:53Request131.31.126.40.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:88.221.135.49:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=01A90F81DDBF6ED72BAF1A06DC5F6F1E; MSPTC=aJaie_EFcGOAoj36PPli6Aii-62AmFp3rUzuKccXYtk
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Sun, 02 Feb 2025 12:53:59 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.ad8f655f.1738500839.1f4bbd75
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request49.135.221.88.in-addr.arpaIN PTRResponse49.135.221.88.in-addr.arpaIN PTRa88-221-135-49deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request85.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request131.72.42.20.in-addr.arpaIN PTRResponse
-
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=tls, http22.0kB 9.3kB 21 16
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c11734e11c454e2abfbd29ee1ee8bcee&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=HTTP Response
204 -
88.221.135.49:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.5kB 6.4kB 17 13
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
131.31.126.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
49.135.221.88.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
20.49.80.91.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
85.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
131.72.42.20.in-addr.arpa