Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

41321fec38...18.exe

windows7-x64

7

41321fec38...18.exe

windows10-2004-x64

7

$PLUGINSDI...r5.exe

windows7-x64

3

$PLUGINSDI...r5.exe

windows10-2004-x64

6

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 17:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe

  • Size

    269KB

  • MD5

    41321fec380fbae3cfe299575f1e706f

  • SHA1

    85ecf06362236aa83de0018a53b5293e4aa24e42

  • SHA256

    0d3c474dfe9e8e5b9a112772ef090a0266ed3fdc93f295bd8edae2134ac0bbfd

  • SHA512

    8e80ae3ae71224d27a6eb1b98fde8957f8e53530099fc276816f6006282b745c7ab5d9da35e611059412df77baa688b6435acf54de889dfc4e06326eb7a0a813

  • SSDEEP

    6144:nsaocyLCLS9J7JzRSfhdaNCkppSgraW88gPBCN3ivSkbk/SHBsnht/NdJqE:ntoboU7JEf+TpNrtmPBCN3Xr1/h

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\41321fec380fbae3cfe299575f1e706f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\installer5.exe
      C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\installer5.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /t /dT132042019S /e6464533 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
        "C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /t /dT132042019S /e6464533 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3984

Network

  • flag-us
    DNS
    ocsp.thawte.com
    installer5.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.thawte.com
    IN A
    Response
    ocsp.thawte.com
    IN CNAME
    mpki-ocsp.digicert.com
    mpki-ocsp.digicert.com
    IN CNAME
    fp3011.wpc.2be4.phicdn.net
    fp3011.wpc.2be4.phicdn.net
    IN CNAME
    fp3011.wpc.phicdn.net
    fp3011.wpc.phicdn.net
    IN A
    152.199.19.74
  • flag-de
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    installer5.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 5116
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sun, 13 Oct 2024 17:39:18 GMT
    Last-Modified: Sun, 13 Oct 2024 16:14:02 GMT
    Server: ECAcc (frc/4C82)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-de
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    installer5.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 5116
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sun, 13 Oct 2024 17:39:18 GMT
    Last-Modified: Sun, 13 Oct 2024 16:14:02 GMT
    Server: ECAcc (frc/4C82)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-de
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0%3D
    installer5.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 3783
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sun, 13 Oct 2024 17:39:18 GMT
    Last-Modified: Sun, 13 Oct 2024 16:36:15 GMT
    Server: ECAcc (frc/4CFA)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-de
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0%3D
    installer5.exe
    Remote address:
    152.199.19.74:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0%3D HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 3783
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Sun, 13 Oct 2024 17:39:18 GMT
    Last-Modified: Sun, 13 Oct 2024 16:36:15 GMT
    Server: ECAcc (frc/4CFA)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 5
  • flag-us
    DNS
    crl.thawte.com
    installer5.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.thawte.com
    IN A
    Response
    crl.thawte.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    crl.edge.digicert.com
    crl.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1204A65D1A536C572B24B34A1B916DC5; domain=.bing.com; expires=Fri, 07-Nov-2025 17:39:18 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7AEDFE8D7E014BE6AD79FA90C95B4724 Ref B: LON601060105025 Ref C: 2024-10-13T17:39:18Z
    date: Sun, 13 Oct 2024 17:39:18 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1204A65D1A536C572B24B34A1B916DC5
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=L0KTgSG-l7BmDjaSHnfeMBjAZn9iFb1fn09yLVpBXTU; domain=.bing.com; expires=Fri, 07-Nov-2025 17:39:18 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 371413B909D3496BB72D187093C09CC4 Ref B: LON601060105025 Ref C: 2024-10-13T17:39:18Z
    date: Sun, 13 Oct 2024 17:39:18 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1204A65D1A536C572B24B34A1B916DC5; MSPTC=L0KTgSG-l7BmDjaSHnfeMBjAZn9iFb1fn09yLVpBXTU
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1674D7F093D94B288BFEB5BB84F55144 Ref B: LON601060105025 Ref C: 2024-10-13T17:39:19Z
    date: Sun, 13 Oct 2024 17:39:18 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    cs-g2-crl.thawte.com
    installer5.exe
    Remote address:
    8.8.8.8:53
    Request
    cs-g2-crl.thawte.com
    IN A
    Response
    cs-g2-crl.thawte.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    crl.edge.digicert.com
    crl.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-se
    GET
    http://cs-g2-crl.thawte.com/ThawteCSG2.crl
    installer5.exe
    Remote address:
    192.229.221.95:80
    Request
    GET /ThawteCSG2.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: cs-g2-crl.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 5123
    Cache-Control: public, max-age=3600
    Content-Type: application/pkix-crl
    Date: Sun, 13 Oct 2024 17:39:19 GMT
    Last-Modified: Sun, 13 Oct 2024 16:13:56 GMT
    Server: ECAcc (frc/4CFB)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 76591
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.downloadmr.com
    4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    Remote address:
    8.8.8.8:53
    Request
    api.downloadmr.com
    IN A
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • 152.199.19.74:80
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0%3D
    http
    installer5.exe
    1.4kB
     1.7kB
     9
    6

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0%3D

    HTTP Response

    200
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    tls, http2
    2.0kB
     9.4kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=05e774bf2db448649ca6b520bd75b845&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204
  • 192.229.221.95:80
    http://cs-g2-crl.thawte.com/ThawteCSG2.crl
    http
    installer5.exe
    1.7kB
     79.4kB
     33
    60

    HTTP Request

    GET http://cs-g2-crl.thawte.com/ThawteCSG2.crl

    HTTP Response

    200
  • 8.8.8.8:53
    ocsp.thawte.com
    dns
    installer5.exe
    61 B
     175 B
     1
    1

    DNS Request

    ocsp.thawte.com

    DNS Response

    152.199.19.74

  • 8.8.8.8:53
    crl.thawte.com
    dns
    installer5.exe
    60 B
     200 B
     1
    1

    DNS Request

    crl.thawte.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    74.19.199.152.in-addr.arpa
    dns
    72 B
     143 B
     1
    1

    DNS Request

    74.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    cs-g2-crl.thawte.com
    dns
    installer5.exe
    66 B
     206 B
     1
    1

    DNS Request

    cs-g2-crl.thawte.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    api.downloadmr.com
    dns
    4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    64 B
     120 B
     1
    1

    DNS Request

    api.downloadmr.com

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    Filesize

    248KB

    MD5

    22371a8f60488d167c752cf965f25237

    SHA1

    2119a78137f0188003fc312a02b12d2b842a2ef5

    SHA256

    e522bbb4e53e1fe3d4d4e3a8dc925d96afe02b1e50b604ef8e2a6abf194120ac

    SHA512

    3dcda9a228eea334726f3b621cbda96440f4434bb0e7fe36bd40a082aa6ab2d284fb8c61e7e10770aeb4c4968ac3711cb257d2b559643ed883886b64f49946d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\installer5.exe
    Filesize

    215KB

    MD5

    029162f299af12e48fc5ffde104766e2

    SHA1

    467b9336af5aec76cbb548ece146cd2d7b4e1264

    SHA256

    28e778a7e5f91d27cf37e7ed8624adb8e9f33d7d12d64ed6420b5345052591b0

    SHA512

    fa522ef2364e5a31c119993d8057a3337bffdb7ce259b810efeb59e105885c8ca75086e1d568121600a919ad160e3be2667486ab56de7e7393df8d895293863c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst8FFD.tmp\nsExec.dll
    Filesize

    8KB

    MD5

    249ae678f0dac4c625c6de6aca53823a

    SHA1

    6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

    SHA256

    7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

    SHA512

    66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

    Download Submit

  • memory/400-47-0x0000000073FC2000-0x0000000073FC3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/400-9-0x0000000073FC2000-0x0000000073FC3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/400-10-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/400-11-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/400-52-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/400-48-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3984-43-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3984-46-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3984-45-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3984-50-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3984-44-0x0000000073FC0000-0x0000000074571000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4928-56-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.