Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 06:47 UTC

General

  • Target

    feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll

  • Size

    2.2MB

  • MD5

    feb0bf5b0d7f6820c330fa45091cd189

  • SHA1

    a1f50429415bc7cbf1706c22dfdca734173fb9ac

  • SHA256

    474fe0f75ec639814eac17468c8ce29908ed30f3665457d864cffa6540047ea0

  • SHA512

    07f208c66899c0f298037dd8aab4d772e2ef6321a36519112e5d677170a58ee19d69e8a397ae0cb485cc1f2c71d82b55c004d96cf40c459fbda3b405602670f8

  • SSDEEP

    24576:52WdDKT6lr1CDu2ruh59hmxxJNOjOAUBJjlD4qH5vlalua2UotfG6o:53DlBEidgxJN5AejlD4uvlab2UotfG

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
        3⤵
          PID:4520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
          3⤵
            PID:3960
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
            3⤵
              PID:3360
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
              3⤵
                PID:3160
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
                3⤵
                  PID:3932
                • C:\Windows\SysWOW64\Regedit.exe
                  Regedit.exe /s "C:\Windows\SysWOW64\arun.reg"
                  3⤵
                  • Modifies WinLogon for persistence
                  • Runs .reg file with regedit
                  PID:3296

            Network

            • flag-us
              DNS
              wallcoo.com
              rundll32.exe
              Remote address:
              8.8.8.8:53
              Request
              wallcoo.com
              IN A
              Response
              wallcoo.com
              IN A
              54.39.24.10
            • flag-us
              DNS
              g.bing.com
              Remote address:
              8.8.8.8:53
              Request
              g.bing.com
              IN A
              Response
              g.bing.com
              IN CNAME
              g-bing-com.dual-a-0034.a-msedge.net
              g-bing-com.dual-a-0034.a-msedge.net
              IN CNAME
              dual-a-0034.a-msedge.net
              dual-a-0034.a-msedge.net
              IN A
              204.79.197.237
              dual-a-0034.a-msedge.net
              IN A
              13.107.21.237
            • flag-us
              GET
              https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
              Remote address:
              204.79.197.237:443
              Request
              GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
              host: g.bing.com
              accept-encoding: gzip, deflate
              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
              Response
              HTTP/2.0 204
              cache-control: no-cache, must-revalidate
              pragma: no-cache
              expires: Fri, 01 Jan 1990 00:00:00 GMT
              set-cookie: MUID=0604FC28447661773DCDE84045966055; domain=.bing.com; expires=Fri, 16-May-2025 06:48:02 GMT; path=/; SameSite=None; Secure; Priority=High;
              strict-transport-security: max-age=31536000; includeSubDomains; preload
              access-control-allow-origin: *
              x-cache: CONFIG_NOCACHE
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 6F471EF7FF5341AF95A929978786C6E2 Ref B: LON04EDGE1206 Ref C: 2024-04-21T06:48:02Z
              date: Sun, 21 Apr 2024 06:48:01 GMT
            • flag-us
              GET
              https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
              Remote address:
              204.79.197.237:443
              Request
              GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
              host: g.bing.com
              accept-encoding: gzip, deflate
              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
              cookie: MUID=0604FC28447661773DCDE84045966055
              Response
              HTTP/2.0 204
              cache-control: no-cache, must-revalidate
              pragma: no-cache
              expires: Fri, 01 Jan 1990 00:00:00 GMT
              set-cookie: MSPTC=tttz342nPkQ8mWCtlQSkM6v57Hh8uABqWgeBrLLnsgM; domain=.bing.com; expires=Fri, 16-May-2025 06:48:02 GMT; path=/; Partitioned; secure; SameSite=None
              strict-transport-security: max-age=31536000; includeSubDomains; preload
              access-control-allow-origin: *
              x-cache: CONFIG_NOCACHE
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: E0056D0EB9CA4C3CBF7A0C5D01170411 Ref B: LON04EDGE1206 Ref C: 2024-04-21T06:48:02Z
              date: Sun, 21 Apr 2024 06:48:01 GMT
            • flag-us
              GET
              https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
              Remote address:
              204.79.197.237:443
              Request
              GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
              host: g.bing.com
              accept-encoding: gzip, deflate
              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
              cookie: MUID=0604FC28447661773DCDE84045966055; MSPTC=tttz342nPkQ8mWCtlQSkM6v57Hh8uABqWgeBrLLnsgM
              Response
              HTTP/2.0 204
              cache-control: no-cache, must-revalidate
              pragma: no-cache
              expires: Fri, 01 Jan 1990 00:00:00 GMT
              strict-transport-security: max-age=31536000; includeSubDomains; preload
              access-control-allow-origin: *
              x-cache: CONFIG_NOCACHE
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 37CC5FFC99F64022B00BE2D32D0E0054 Ref B: LON04EDGE1206 Ref C: 2024-04-21T06:48:02Z
              date: Sun, 21 Apr 2024 06:48:02 GMT
            • flag-us
              DNS
              0.159.190.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              0.159.190.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              240.221.184.93.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              240.221.184.93.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              237.197.79.204.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              237.197.79.204.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              149.220.183.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              149.220.183.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              9.228.82.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              9.228.82.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              9.228.82.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              9.228.82.20.in-addr.arpa
              IN PTR
            • flag-nl
              GET
              https://www.bing.com/th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90
              Remote address:
              23.62.61.145:443
              Request
              GET /th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
              host: www.bing.com
              accept: */*
              cookie: MUID=0604FC28447661773DCDE84045966055; MSPTC=tttz342nPkQ8mWCtlQSkM6v57Hh8uABqWgeBrLLnsgM
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-type: image/png
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              content-length: 1299
              date: Sun, 21 Apr 2024 06:48:05 GMT
              alt-svc: h3=":443"; ma=93600
              x-cdn-traceid: 0.8d3d3e17.1713682085.7328757
            • flag-us
              DNS
              43.58.199.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              43.58.199.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              21.114.53.23.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              21.114.53.23.in-addr.arpa
              IN PTR
              Response
              21.114.53.23.in-addr.arpa
              IN PTR
              a23-53-114-21deploystaticakamaitechnologiescom
            • flag-us
              DNS
              145.61.62.23.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              145.61.62.23.in-addr.arpa
              IN PTR
              Response
              145.61.62.23.in-addr.arpa
              IN PTR
              a23-62-61-145deploystaticakamaitechnologiescom
            • flag-us
              DNS
              157.123.68.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              157.123.68.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              15.164.165.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              15.164.165.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              217.106.137.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              217.106.137.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              154.173.246.72.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              154.173.246.72.in-addr.arpa
              IN PTR
              Response
              154.173.246.72.in-addr.arpa
              IN PTR
              a72-246-173-154deploystaticakamaitechnologiescom
            • flag-us
              DNS
              154.173.246.72.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              154.173.246.72.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              198.32.209.4.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              198.32.209.4.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              198.32.209.4.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              198.32.209.4.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              119.110.54.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              119.110.54.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              119.110.54.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              119.110.54.20.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              65.139.73.23.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              65.139.73.23.in-addr.arpa
              IN PTR
              Response
              65.139.73.23.in-addr.arpa
              IN PTR
              a23-73-139-65deploystaticakamaitechnologiescom
            • flag-us
              DNS
              172.210.232.199.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              172.210.232.199.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              49.15.97.104.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              49.15.97.104.in-addr.arpa
              IN PTR
              Response
              49.15.97.104.in-addr.arpa
              IN PTR
              a104-97-15-49deploystaticakamaitechnologiescom
            • flag-us
              DNS
              43.229.111.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              43.229.111.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              tse1.mm.bing.net
              Remote address:
              8.8.8.8:53
              Request
              tse1.mm.bing.net
              IN A
              Response
              tse1.mm.bing.net
              IN CNAME
              mm-mm.bing.net.trafficmanager.net
              mm-mm.bing.net.trafficmanager.net
              IN CNAME
              dual-a-0001.a-msedge.net
              dual-a-0001.a-msedge.net
              IN A
              204.79.197.200
              dual-a-0001.a-msedge.net
              IN A
              13.107.21.200
            • flag-us
              DNS
              tse1.mm.bing.net
              Remote address:
              8.8.8.8:53
              Request
              tse1.mm.bing.net
              IN A
              Response
              tse1.mm.bing.net
              IN CNAME
              mm-mm.bing.net.trafficmanager.net
              mm-mm.bing.net.trafficmanager.net
              IN CNAME
              dual-a-0001.a-msedge.net
              dual-a-0001.a-msedge.net
              IN A
              204.79.197.200
              dual-a-0001.a-msedge.net
              IN A
              13.107.21.200
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 430689
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: B82AF97C265F48EDA0D588C85F3A4B90 Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
              date: Sun, 21 Apr 2024 06:49:37 GMT
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 792794
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 567568328B0145BAAEC0D69D8F7BAFEC Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
              date: Sun, 21 Apr 2024 06:49:37 GMT
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 627437
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: C1782DC2BBA940B5BEC0CCA47AB7C257 Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
              date: Sun, 21 Apr 2024 06:49:37 GMT
            • flag-us
              GET
              https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
              Remote address:
              204.79.197.200:443
              Request
              GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
              host: tse1.mm.bing.net
              accept: */*
              accept-encoding: gzip, deflate, br
              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
              Response
              HTTP/2.0 200
              cache-control: public, max-age=2592000
              content-length: 415458
              content-type: image/jpeg
              x-cache: TCP_HIT
              access-control-allow-origin: *
              access-control-allow-headers: *
              access-control-allow-methods: GET, POST, OPTIONS
              timing-allow-origin: *
              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              x-msedge-ref: Ref A: 8C67E0BD642C4F79BC5F749C0CA8E392 Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
              date: Sun, 21 Apr 2024 06:49:37 GMT
            • flag-us
              DNS
              88.156.103.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              88.156.103.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              88.156.103.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              88.156.103.20.in-addr.arpa
              IN PTR
              Response
            • 54.39.24.10:80
              wallcoo.com
              rundll32.exe
              156 B
              3
            • 204.79.197.237:443
              https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=
              tls, http2
              2.1kB
              9.2kB
              23
              19

              HTTP Request

              GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

              HTTP Response

              204

              HTTP Request

              GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

              HTTP Response

              204

              HTTP Request

              GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

              HTTP Response

              204
            • 23.62.61.145:443
              https://www.bing.com/th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90
              tls, http2
              1.5kB
              6.5kB
              17
              12

              HTTP Request

              GET https://www.bing.com/th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90

              HTTP Response

              200
            • 52.111.236.23:443
              322 B
              7
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls, http2
              1.2kB
              8.1kB
              16
              14
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls, http2
              1.2kB
              8.1kB
              16
              13
            • 204.79.197.200:443
              https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
              tls, http2
              82.8kB
              2.4MB
              1744
              1740

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

              HTTP Request

              GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

              HTTP Response

              200

              HTTP Response

              200

              HTTP Response

              200

              HTTP Response

              200
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls, http2
              1.3kB
              8.1kB
              17
              14
            • 8.8.8.8:53
              wallcoo.com
              dns
              rundll32.exe
              57 B
              73 B
              1
              1

              DNS Request

              wallcoo.com

              DNS Response

              54.39.24.10

            • 8.8.8.8:53
              g.bing.com
              dns
              56 B
              151 B
              1
              1

              DNS Request

              g.bing.com

              DNS Response

              204.79.197.237
              13.107.21.237

            • 8.8.8.8:53
              0.159.190.20.in-addr.arpa
              dns
              71 B
              157 B
              1
              1

              DNS Request

              0.159.190.20.in-addr.arpa

            • 8.8.8.8:53
              240.221.184.93.in-addr.arpa
              dns
              73 B
              144 B
              1
              1

              DNS Request

              240.221.184.93.in-addr.arpa

            • 8.8.8.8:53
              237.197.79.204.in-addr.arpa
              dns
              73 B
              143 B
              1
              1

              DNS Request

              237.197.79.204.in-addr.arpa

            • 8.8.8.8:53
              149.220.183.52.in-addr.arpa
              dns
              73 B
              147 B
              1
              1

              DNS Request

              149.220.183.52.in-addr.arpa

            • 8.8.8.8:53
              9.228.82.20.in-addr.arpa
              dns
              140 B
              156 B
              2
              1

              DNS Request

              9.228.82.20.in-addr.arpa

              DNS Request

              9.228.82.20.in-addr.arpa

            • 8.8.8.8:53
              43.58.199.20.in-addr.arpa
              dns
              71 B
              157 B
              1
              1

              DNS Request

              43.58.199.20.in-addr.arpa

            • 8.8.8.8:53
              21.114.53.23.in-addr.arpa
              dns
              71 B
              135 B
              1
              1

              DNS Request

              21.114.53.23.in-addr.arpa

            • 8.8.8.8:53
              145.61.62.23.in-addr.arpa
              dns
              71 B
              135 B
              1
              1

              DNS Request

              145.61.62.23.in-addr.arpa

            • 8.8.8.8:53
              157.123.68.40.in-addr.arpa
              dns
              72 B
              146 B
              1
              1

              DNS Request

              157.123.68.40.in-addr.arpa

            • 8.8.8.8:53
              15.164.165.52.in-addr.arpa
              dns
              72 B
              146 B
              1
              1

              DNS Request

              15.164.165.52.in-addr.arpa

            • 8.8.8.8:53
              217.106.137.52.in-addr.arpa
              dns
              73 B
              147 B
              1
              1

              DNS Request

              217.106.137.52.in-addr.arpa

            • 8.8.8.8:53
              154.173.246.72.in-addr.arpa
              dns
              146 B
              139 B
              2
              1

              DNS Request

              154.173.246.72.in-addr.arpa

              DNS Request

              154.173.246.72.in-addr.arpa

            • 8.8.8.8:53
              198.32.209.4.in-addr.arpa
              dns
              142 B
              157 B
              2
              1

              DNS Request

              198.32.209.4.in-addr.arpa

              DNS Request

              198.32.209.4.in-addr.arpa

            • 8.8.8.8:53
              119.110.54.20.in-addr.arpa
              dns
              144 B
              158 B
              2
              1

              DNS Request

              119.110.54.20.in-addr.arpa

              DNS Request

              119.110.54.20.in-addr.arpa

            • 8.8.8.8:53
              65.139.73.23.in-addr.arpa
              dns
              71 B
              135 B
              1
              1

              DNS Request

              65.139.73.23.in-addr.arpa

            • 8.8.8.8:53
              172.210.232.199.in-addr.arpa
              dns
              74 B
              128 B
              1
              1

              DNS Request

              172.210.232.199.in-addr.arpa

            • 8.8.8.8:53
              49.15.97.104.in-addr.arpa
              dns
              71 B
              135 B
              1
              1

              DNS Request

              49.15.97.104.in-addr.arpa

            • 8.8.8.8:53
              43.229.111.52.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              43.229.111.52.in-addr.arpa

            • 8.8.8.8:53
              tse1.mm.bing.net
              dns
              124 B
              346 B
              2
              2

              DNS Request

              tse1.mm.bing.net

              DNS Request

              tse1.mm.bing.net

              DNS Response

              204.79.197.200
              13.107.21.200

              DNS Response

              204.79.197.200
              13.107.21.200

            • 8.8.8.8:53
              88.156.103.20.in-addr.arpa
              dns
              144 B
              316 B
              2
              2

              DNS Request

              88.156.103.20.in-addr.arpa

              DNS Request

              88.156.103.20.in-addr.arpa

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat

              Filesize

              158B

              MD5

              b0a27860ea12fd07015510c5c35c7554

              SHA1

              535e08f7a8759f019fb085554675034faca50bb3

              SHA256

              1c62ea2659178f376ddcc36492ffc6c4a0c08c78436566f20170bbe3b02d9cd9

              SHA512

              f4af7e332e6b866501a79cc98a76fa1f1fa3a24d61f27a188b503c64360140dd67e0b9bb60590e8f1b5369413a1cc5d8929ea2f8ff1db843a5d8098aca5c884a

            • C:\Windows\SysWOW64\11D18gXgg.dll

              Filesize

              921B

              MD5

              b7d9db6b08668f6225b47354d1625d57

              SHA1

              47068158132fe367904bbffe71d6445ba4a87b8d

              SHA256

              db4a5ad033e9052a1a709ec47e9b1bcd7afb9f3c799ef7c9451871593febb0ff

              SHA512

              e8bc3753bfb3e82c8e5865be23c8c976d8c7d96db5e5ec5fa80dc1c526f4af5f4e7876a7e1e756db1bff227cbd2d57ac69c7157173c0fe575fb7b345f8d1759e

            • C:\Windows\SysWOW64\11D18gXgg.dll

              Filesize

              1KB

              MD5

              03870ec18f067da58cb6253c2fad3265

              SHA1

              fb8e064476fb3af2faf3a977835bb3b284cf4a33

              SHA256

              f2c43e0bb1465011d8b66ddb6c9bd206e37c512d9096546d0990952ac5ada770

              SHA512

              a3c58f60a0af99d1e5640a663807f5ea0f5a812e15f9ba385a38f93a4267ea6493931aad304645bc158131cfa5fee54052330295d3b2b934f9aa0212b4ca9ef1

            • C:\Windows\SysWOW64\arun.reg

              Filesize

              149B

              MD5

              adfc8b71e83fe2857ee9679492f69327

              SHA1

              691d668a9bafd29397d07d40f7a9835c2a69995b

              SHA256

              ce08d9de9b28cee3e147505a99335f3b7f5ab1b82dc009032864c0c1b911cd3c

              SHA512

              13f37167233bf6b00c0f23174e336f7abfbcded6e7bf8d6d5d146459a74f03cfe96a6e414d5ebfe55967be4c02a3f4e6f23cc2c5333180338a45ad7507ced822

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.