Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 05:06 UTC

General

  • Target

    f51892f6d4ee376d5b2472d51e5a6729_JaffaCakes118.exe

  • Size

    494KB

  • MD5

    f51892f6d4ee376d5b2472d51e5a6729

  • SHA1

    e68bc433795b01e2844f70dabaf512a519daadcd

  • SHA256

    11742b1b7437e34b15baafe3e44a7cf5a14d9b149ddb87499c42dd9fdbd5661a

  • SHA512

    f878b9f065894e0fe6449c0c1ca7fee4f1aacebc8925067d4af053bd7af0972dbce9a47814d864387fad13d7dad60352596c9975a177a1111aa5e79f6f0ad92f

  • SSDEEP

    12288:mnKfyxV2ImdvPGBFfi8WuJ6+1x0KCYT88VtX0n:WKfwV2HtPgFfN9/pD4

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f51892f6d4ee376d5b2472d51e5a6729_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f51892f6d4ee376d5b2472d51e5a6729_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\n1245\s1245.exe
      "C:\Users\Admin\AppData\Local\Temp\n1245\s1245.exe" ins.exe /e 12488987 /u 52fe2c91-49dc-40b7-b209-1f140a000013 /v "C:\Users\Admin\AppData\Local\Temp\f51892f6d4ee376d5b2472d51e5a6729_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3760
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 4500
      2⤵
      • Program crash
      PID:4024
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1120 -ip 1120
    1⤵
      PID:1732

    Network

    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      82.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      82.90.14.23.in-addr.arpa
      IN PTR
      Response
      82.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-82deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ocsp.thawte.com
      s1245.exe
      Remote address:
      8.8.8.8:53
      Request
      ocsp.thawte.com
      IN A
      Response
      ocsp.thawte.com
      IN CNAME
      mpki-ocsp.digicert.com
      mpki-ocsp.digicert.com
      IN CNAME
      fp3011.wpc.2be4.phicdn.net
      fp3011.wpc.2be4.phicdn.net
      IN CNAME
      fp3011.wpc.phicdn.net
      fp3011.wpc.phicdn.net
      IN A
      152.199.19.74
    • flag-us
      GET
      http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
      s1245.exe
      Remote address:
      152.199.19.74:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.thawte.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 1598
      Cache-Control: public, max-age=300
      Content-Type: application/ocsp-response
      Date: Wed, 17 Apr 2024 05:06:36 GMT
      Last-Modified: Wed, 17 Apr 2024 04:39:58 GMT
      Server: ECAcc (lhc/789F)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 5
    • flag-us
      POST
      http://ocsp.thawte.com/
      s1245.exe
      Remote address:
      152.199.19.74:80
      Request
      POST / HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Content-Type: application/ocsp-request
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Content-Length: 83
      Host: ocsp.thawte.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 3909
      Cache-Control: public, max-age=300
      Content-Type: application/ocsp-response
      Date: Wed, 17 Apr 2024 05:06:36 GMT
      Last-Modified: Wed, 17 Apr 2024 04:01:27 GMT
      Server: ECAcc (lhc/78B5)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 5
    • flag-us
      GET
      http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEDI%2FRNZq74kPQ8Ms%2FXQ6StA%3D
      s1245.exe
      Remote address:
      152.199.19.74:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEDI%2FRNZq74kPQ8Ms%2FXQ6StA%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.thawte.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 3243
      Cache-Control: public, max-age=86400
      Content-Type: application/ocsp-response
      Date: Wed, 17 Apr 2024 05:06:36 GMT
      Last-Modified: Wed, 17 Apr 2024 04:12:33 GMT
      Server: ECAcc (lhc/7913)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 1441
    • flag-us
      DNS
      crl.thawte.com
      s1245.exe
      Remote address:
      8.8.8.8:53
      Request
      crl.thawte.com
      IN A
      Response
      crl.thawte.com
      IN CNAME
      crl-symcprod.digicert.com
      crl-symcprod.digicert.com
      IN CNAME
      crl.edge.digicert.com
      crl.edge.digicert.com
      IN CNAME
      fp2e7a.wpc.2be4.phicdn.net
      fp2e7a.wpc.2be4.phicdn.net
      IN CNAME
      fp2e7a.wpc.phicdn.net
      fp2e7a.wpc.phicdn.net
      IN A
      192.229.221.95
    • flag-se
      GET
      http://crl.thawte.com/ThawtePCA.crl
      s1245.exe
      Remote address:
      192.229.221.95:80
      Request
      GET /ThawtePCA.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: crl.thawte.com
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 3090
      Cache-Control: public, max-age=3600
      Content-Type: application/pkix-crl
      Date: Wed, 17 Apr 2024 05:06:36 GMT
      Last-Modified: Wed, 17 Apr 2024 04:15:06 GMT
      Server: ECAcc (lhd/35A2)
      X-Cache: HIT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      Content-Length: 604
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=3FC8DB17CEA4643A154DCF73CF836563; domain=.bing.com; expires=Mon, 12-May-2025 05:06:36 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A3D97036B49845B39FBA579E9D6A841C Ref B: LON04EDGE0719 Ref C: 2024-04-17T05:06:36Z
      date: Wed, 17 Apr 2024 05:06:36 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3FC8DB17CEA4643A154DCF73CF836563
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=bZ50-xJ2MFZTEfj0Hq2GpfFl9AEga0tWrJ_Lz0hmgA0; domain=.bing.com; expires=Mon, 12-May-2025 05:06:37 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 82640C3818B24425841EEDF75ECD3BB5 Ref B: LON04EDGE0719 Ref C: 2024-04-17T05:06:37Z
      date: Wed, 17 Apr 2024 05:06:36 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3FC8DB17CEA4643A154DCF73CF836563; MSPTC=bZ50-xJ2MFZTEfj0Hq2GpfFl9AEga0tWrJ_Lz0hmgA0
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4C3FB9F938CC410B9D07D17806140297 Ref B: LON04EDGE0719 Ref C: 2024-04-17T05:06:37Z
      date: Wed, 17 Apr 2024 05:06:36 GMT
    • flag-us
      DNS
      21.114.53.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.114.53.23.in-addr.arpa
      IN PTR
      Response
      21.114.53.23.in-addr.arpa
      IN PTR
      a23-53-114-21deploystaticakamaitechnologiescom
    • flag-us
      DNS
      74.19.199.152.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.19.199.152.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      api.socdn.com
      s1245.exe
      Remote address:
      8.8.8.8:53
      Request
      api.socdn.com
      IN A
      Response
      api.socdn.com
      IN CNAME
      615321.parkingcrew.net
      615321.parkingcrew.net
      IN A
      13.248.148.254
      615321.parkingcrew.net
      IN A
      76.223.26.96
    • flag-us
      GET
      http://api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/12488987/config
      s1245.exe
      Remote address:
      13.248.148.254:80
      Request
      GET /installer/52fe2c91-49dc-40b7-b209-1f140a000013/12488987/config HTTP/1.1
      User-Agent: DownloadMR/3.1.17 (MSIE 9.11;Windows NT 6.3.9600.0;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=B660M GAMING X DDR4;northstar)
      Accept-Language: en-US
      Host: api.socdn.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 17 Apr 2024 05:06:42 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Server: nginx
      Vary: Accept-Encoding
      Vary: Accept-Encoding
      X-Redirect: skenzo
      X-Buckets: bucket102
      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_XHILpYpdyBS/6QAx5tpYv/68LWzpbKWTV/3pLP5rjTQdwvlXOOwp4i73fQuMcE3NmMMH4KU9/TqMq5ujtR0aZA==
      X-Template: tpl_CleanPeppermintBlack_twoclick
      X-Language: english
      Accept-CH: viewport-width
      Accept-CH: dpr
      Accept-CH: device-memory
      Accept-CH: rtt
      Accept-CH: downlink
      Accept-CH: ect
      Accept-CH: ua
      Accept-CH: ua-full-version
      Accept-CH: ua-platform
      Accept-CH: ua-platform-version
      Accept-CH: ua-arch
      Accept-CH: ua-model
      Accept-CH: ua-mobile
      Accept-CH-Lifetime: 30
      X-Domain: socdn.com
      X-Subdomain: api
    • flag-us
      POST
      http://api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/12488987/event
      s1245.exe
      Remote address:
      13.248.148.254:80
      Request
      POST /installer/52fe2c91-49dc-40b7-b209-1f140a000013/12488987/event HTTP/1.1
      User-Agent: DownloadMR/3.1.17 (MSIE 9.11;Windows NT 6.3.9600.0;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=B660M GAMING X DDR4;northstar)
      Accept-Language: en-US
      Content-Type: application/x-www-form-urlencoded
      Host: api.socdn.com
      Content-Length: 3394
      Expect: 100-continue
      Response
      HTTP/1.1 403 Forbidden
      Server: awselb/2.0
      Date: Wed, 17 Apr 2024 05:06:43 GMT
      Content-Type: text/html; charset=utf-8
      Content-Length: 138
      Connection: keep-alive
    • flag-us
      DNS
      254.148.248.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      254.148.248.13.in-addr.arpa
      IN PTR
      Response
      254.148.248.13.in-addr.arpa
      IN PTR
      aba1c1ff9d2ec5376awsglobalacceleratorcom
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.139.73.23.in-addr.arpa
      IN PTR
      Response
      24.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-24deploystaticakamaitechnologiescom
    • flag-us
      DNS
      91.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      91.90.14.23.in-addr.arpa
      IN PTR
      Response
      91.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-91deploystaticakamaitechnologiescom
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.73.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.73.42.20.in-addr.arpa
      IN PTR
      Response
    • 152.199.19.74:80
      http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEDI%2FRNZq74kPQ8Ms%2FXQ6StA%3D
      http
      s1245.exe
      1.2kB
      2.8kB
      9
      7

      HTTP Request

      GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

      HTTP Response

      200

      HTTP Request

      POST http://ocsp.thawte.com/

      HTTP Response

      200

      HTTP Request

      GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEDI%2FRNZq74kPQ8Ms%2FXQ6StA%3D

      HTTP Response

      200
    • 192.229.221.95:80
      http://crl.thawte.com/ThawtePCA.crl
      http
      s1245.exe
      358 B
      1.1kB
      5
      3

      HTTP Request

      GET http://crl.thawte.com/ThawtePCA.crl

      HTTP Response

      200
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=
      tls, http2
      2.0kB
      9.2kB
      22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8123d77bbb22413e8805213842452af6&localId=w:8278E319-FE4C-D664-BDAB-F28E31699514&deviceId=6896199938771339&anid=

      HTTP Response

      204
    • 13.248.148.254:80
      http://api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/12488987/event
      http
      s1245.exe
      4.7kB
      4.4kB
      13
      13

      HTTP Request

      GET http://api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/12488987/config

      HTTP Response

      200

      HTTP Request

      POST http://api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/12488987/event

      HTTP Response

      403
    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      82.90.14.23.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      82.90.14.23.in-addr.arpa

    • 8.8.8.8:53
      ocsp.thawte.com
      dns
      s1245.exe
      61 B
      175 B
      1
      1

      DNS Request

      ocsp.thawte.com

      DNS Response

      152.199.19.74

    • 8.8.8.8:53
      crl.thawte.com
      dns
      s1245.exe
      60 B
      200 B
      1
      1

      DNS Request

      crl.thawte.com

      DNS Response

      192.229.221.95

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      21.114.53.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      21.114.53.23.in-addr.arpa

    • 8.8.8.8:53
      74.19.199.152.in-addr.arpa
      dns
      72 B
      143 B
      1
      1

      DNS Request

      74.19.199.152.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
      143 B
      1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      api.socdn.com
      dns
      s1245.exe
      59 B
      127 B
      1
      1

      DNS Request

      api.socdn.com

      DNS Response

      13.248.148.254
      76.223.26.96

    • 8.8.8.8:53
      254.148.248.13.in-addr.arpa
      dns
      73 B
      129 B
      1
      1

      DNS Request

      254.148.248.13.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      24.139.73.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      24.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      91.90.14.23.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      91.90.14.23.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      31.73.42.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      31.73.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\n1245\s1245.exe

      Filesize

      286KB

      MD5

      c268c937148a046322219b77c5a031b0

      SHA1

      e83ed15c7ef694a2281955a16ffeec0672c56107

      SHA256

      c913057e15ac6b27b204be58b52132d62901746075faa298bb0d08c84958d51e

      SHA512

      44cc28c7a707a37e49afdd23af42a620a8eb78f7b54913b41d8cd5eadd5ea37a6eb16e83d99dd75bbc736e70970a7c94b33d55950ed3dda45302477ea3868a19

    • memory/3760-11-0x00007FF8B28A0000-0x00007FF8B3241000-memory.dmp

      Filesize

      9.6MB

    • memory/3760-12-0x00007FF8B28A0000-0x00007FF8B3241000-memory.dmp

      Filesize

      9.6MB

    • memory/3760-15-0x0000000000E80000-0x0000000000E90000-memory.dmp

      Filesize

      64KB

    • memory/3760-26-0x000000001BA90000-0x000000001BA9A000-memory.dmp

      Filesize

      40KB

    • memory/3760-29-0x000000001C2E0000-0x000000001C7AE000-memory.dmp

      Filesize

      4.8MB

    • memory/3760-30-0x000000001C850000-0x000000001C8EC000-memory.dmp

      Filesize

      624KB

    • memory/3760-31-0x000000001B750000-0x000000001B758000-memory.dmp

      Filesize

      32KB

    • memory/3760-32-0x0000000000E80000-0x0000000000E90000-memory.dmp

      Filesize

      64KB

    • memory/3760-33-0x0000000000E80000-0x0000000000E90000-memory.dmp

      Filesize

      64KB

    • memory/3760-34-0x0000000000E80000-0x0000000000E90000-memory.dmp

      Filesize

      64KB

    • memory/3760-35-0x000000001F920000-0x000000001F982000-memory.dmp

      Filesize

      392KB

    • memory/3760-36-0x000000001FED0000-0x000000002000C000-memory.dmp

      Filesize

      1.2MB

    • memory/3760-37-0x0000000020520000-0x0000000020A2E000-memory.dmp

      Filesize

      5.1MB

    • memory/3760-38-0x0000000020A30000-0x0000000020B30000-memory.dmp

      Filesize

      1024KB

    • memory/3760-40-0x00007FF8B28A0000-0x00007FF8B3241000-memory.dmp

      Filesize

      9.6MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.