Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01/10/2022, 23:55 UTC
General
-
Target
7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe
-
Size
320KB
-
MD5
71ee19737698f120d243e30eb5ee65e0
-
SHA1
cc81357948e6513fdb87c3fd174f5dc4d08316be
-
SHA256
7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034
-
SHA512
44b365e026863225d04c9d9764b81683a7f219f1cf689efd11591c725af7e1c8e79b9cd015439493e4d080a4e2d9c9999c829fbbe6209ea11c2533b5a6cd771f
-
SSDEEP
6144:sTw4o1IV3puaibGKFHi0mofhaH05kipz016580bHFMWu86JQPDHDdx/QtqR:SmgvmzFHi0mo5aH0qMzd5807FKPJQPDV
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
-
UAC bypass 3 TTPs 12 IoCs
-
Adds policy Run key to start application 2 TTPs 15 IoCs
-
Disables RegEdit via registry modification 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 63 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
System policy modification 1 TTPs 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe"C:\Users\Admin\AppData\Local\Temp\7954b7f018f5d3ff852e1bd390d41477adacadb4d2d2a13ff45cf3b31ede5034.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\gutbft.exe"C:\Users\Admin\AppData\Local\Temp\gutbft.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\gutbft.exe"C:\Users\Admin\AppData\Local\Temp\gutbft.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
Network
-
DNSwww.showmyipaddress.comRemote address:8.8.8.8:53Requestwww.showmyipaddress.comIN AResponsewww.showmyipaddress.comIN A188.114.97.0www.showmyipaddress.comIN A188.114.96.0 -
GEThttp://www.showmyipaddress.com/Remote address:188.114.97.0:80RequestGET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:23:53 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:23:53 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Gvbn%2F86fvQz2DnjxKVO6ULZ3CzH%2Ftr5uWv%2FEdFTo6wIjRdLpMTuwyts2HxNuCcL8fi9sx0kL%2F6dvIcSGnKS3T%2F%2FnUmuVkvAWKlZKGMdQX3NFr5AKo0NIxX93hwxzUwTbXhlQDDIADMxbSA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7539fa880882b8e5-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
DNSwhatismyipaddress.comRemote address:8.8.8.8:53Requestwhatismyipaddress.comIN AResponsewhatismyipaddress.comIN A104.16.154.36whatismyipaddress.comIN A104.16.155.36
-
GEThttp://whatismyipaddress.com/Remote address:104.16.154.36:80RequestGET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 403 Forbidden
Date: Sun, 02 Oct 2022 02:23:55 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cf_bm=1TR8P7o684qhpsfk7aFcIClyYsi78grKsrZyFMk3eOE-1664677435-0-AXjK1HpvDVuq0H8cKAsFal/Dyplpa395O4jVh/B3Sib9dSx3FmMPRBpGok4sa7n/kwYvUGYZdpbbtMQKE9lE0NE=; path=/; expires=Sun, 02-Oct-22 02:53:55 GMT; domain=.whatismyipaddress.com; HttpOnly; SameSite=None
Server: cloudflare
CF-RAY: 7539fa93f8f7b987-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
DNSwww.whatismyip.comRemote address:8.8.8.8:53Requestwww.whatismyip.comIN AResponsewww.whatismyip.comIN A172.67.189.152www.whatismyip.comIN A104.21.89.158
-
GEThttp://www.whatismyip.com/Remote address:172.67.189.152:80RequestGET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:23:57 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:23:57 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LHs0M3%2BBYYbFVOVL0JCpHbN2uRjGa2de4IA5jNog4Q018Eo6mNsuIO%2B8ep2a%2FM2AxBE5ZietSQJN8CeTJ3T0lE3cyk3KfrOUSo09AetMZbLxHm9%2BRFzqqEwYSLFVA2xEtPF05A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7539fa9feb96b7e2-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://whatismyipaddress.com/Remote address:104.16.154.36:80RequestGET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 403 Forbidden
Date: Sun, 02 Oct 2022 02:23:59 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cf_bm=Fj1vi5kBl7Y_DEO6ZoTaNwuM_U5di6RgnggtjRaOsQ8-1664677439-0-AfyW3KSup8yARZZvQB8m32u8w6JpE6CZpHlRt2ydqdk7ytSImZlhLS/retUklMTNs1NG7WXtxFW4v1k92GZ6s4M=; path=/; expires=Sun, 02-Oct-22 02:53:59 GMT; domain=.whatismyipaddress.com; HttpOnly; SameSite=None
Server: cloudflare
CF-RAY: 7539faab8e1ab7be-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
DNSwhatismyip.everdot.orgRemote address:8.8.8.8:53Requestwhatismyip.everdot.orgIN AResponse
-
GEThttp://www.whatismyip.com/Remote address:172.67.189.152:80RequestGET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:03 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:03 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=N3Mgy7oeFDzkZNx7KW1TBXBIqVOCbZ5fIJHQanx6qve68mk4gWftBaIu3by%2FxkSeISYuJPG9v80%2FJXao52YpnoROiyuO3TFvBITUFO3rsTiOlsKOW0O%2FS2tumxpu%2FZLNhXPf5g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7539fac2c887b8dc-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://whatismyipaddress.com/Remote address:104.16.154.36:80RequestGET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 403 Forbidden
Date: Sun, 02 Oct 2022 02:24:04 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cf_bm=PT9H5bndVjqOo66F8IDW5K7PoFNaaT8UNbkXFAc1BeQ-1664677444-0-AcDpT94xmHqs1Aj+lAec+b3znuPwaK4V/AUtTnSISx8biIrmEcNqQ07xULgVstyFav5mCICRjMUrhDq5NRpzxWE=; path=/; expires=Sun, 02-Oct-22 02:54:04 GMT; domain=.whatismyipaddress.com; HttpOnly; SameSite=None
Server: cloudflare
CF-RAY: 7539face7dcdb8e8-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://www.showmyipaddress.com/Remote address:188.114.97.0:80RequestGET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:06 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:06 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TEMtihLS5%2BmfQk1WHm%2F21AT9qcaJXT2lYA6tUGYGsWEpG9h4vJ5%2B0%2BHrFuFhPFpOLWSXH4N%2BrVe1GAlYDpabAu2zbyf3ddr0CLDcJeiWqE8tU24TyNHjT779%2FeiPXYBuiK0sneDXFNTdDw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7539fada282bb734-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
DNSwww.whatismyip.caRemote address:8.8.8.8:53Requestwww.whatismyip.caIN AResponse
-
GEThttp://www.showmyipaddress.com/Remote address:188.114.97.0:80RequestGET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:10 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:10 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2B9amZVIFZb0BNjVK0hMVmWnmFTXtNMuPWm7i%2FucwabmXYhcO8XGyNXjZAhclLa8AwGAbtxR%2FQTHeuT4uV2IGn4zSnr7FY4PUazir7N4N0iUp7Kmr1wC8OAPgrhE1HgxN5RMr2pOqfXJw8w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7539faf16d6fb76a-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://www.showmyipaddress.com/Remote address:188.114.97.0:80RequestGET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:12 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:12 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6bEAvdkXbF3C%2F5T%2FP91BZk6C%2B3mA6A3ptAML1gd9S8U1IdD9N1QyFF8SiVLTbhiOSegmnJqlWl0Y1DrV6fs1SdBHwl9Nb6LU8O0Hhvy%2Frw5ZRF26HdnASoYm%2BJymQvEQ%2BC4JlUs2KVfWwA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7539fafd197db70c-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://www.whatismyip.com/Remote address:172.67.189.152:80RequestGET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:14 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:14 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xCqg75EZBixd51RZaZRvolPD0ykyEk%2FHRR11Qx8V%2FYHPAhbGuncv%2Fu8RCZkd9pIUuc9DHbhq2gUX7dYb26FuMLErZLWawwJNCXM%2FtwkYvybf%2F2TagBOb4KWEGcOksCWzpmG2eQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7539fb08dbd941da-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://whatismyipaddress.com/Remote address:104.16.154.36:80RequestGET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 403 Forbidden
Date: Sun, 02 Oct 2022 02:24:17 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cf_bm=JMyB49PnofOjCMSNu31ALjLRYZl6kf4IuwsD3fssWoM-1664677457-0-Ad9ppJ8x/MndV/kWCfpiSlONCe7X7q1o6qkxaCKMtkh5v82i96cR3bat+bwOUuO39d1wHedSC1qEsKmR5TlRTck=; path=/; expires=Sun, 02-Oct-22 02:54:17 GMT; domain=.whatismyipaddress.com; HttpOnly; SameSite=None
Server: cloudflare
CF-RAY: 7539fb1f9db9b748-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://www.whatismyip.com/Remote address:172.67.189.152:80RequestGET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:19 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:19 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g1YdboY79xKgbpkZvmcWz8Y8FwYqJ0yq5vMY3FX1sehyLI0Cl1u%2FKS1xyF0glIAA1%2BsfdFoH0lDszHq6ljXORL%2BUdzsl4FH9IsHynh6%2Bh2%2ByxFhVYDxb99e9lKPWb7g77Kbvzg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7539fb2b3ce2b932-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://www.whatismyip.com/Remote address:172.67.189.152:80RequestGET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:21 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:21 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=I5LWvJyd0%2BzZa34LIkCuu750lF%2BvtBVEd0s7UJpBF%2FfMr4h5T%2FjNhr8VoUzTpOo9i65639GQIyxdhu9mQW4SjYQiR%2BXjd6uAQ19PwqXwHIFbMYHdak4RdP7%2BVRxfDNMusWjRFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7539fb36db28b7f1-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://www.showmyipaddress.com/Remote address:188.114.97.0:80RequestGET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:23 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:23 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=a7IKAYYm0%2FbKUIcLELjkOcAtCJVqYinp9nq1SwnIf7tilm4juzQAybLTjkoS%2FzVk1TU3GoEYcNvuxbzroPsV10CkseNDMJAX1K9zI7Y0jKT8Ntk1GtUaZVNM%2BKwzlQ649uHTcv0cfeR8Hw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7539fb429c05b969-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://whatismyipaddress.com/Remote address:104.16.154.36:80RequestGET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 403 Forbidden
Date: Sun, 02 Oct 2022 02:24:27 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cf_bm=.SPLRUJgNYpjQ8_KkL3DUd3trtNtj6nDAA8zhBOkeRQ-1664677467-0-AX9j495aeZ7+VBURidd5fEFyoqwx+hLqRnozll82wHHoAiTZ7aalbtMHv+xgHgXjK6ra8N8KGorspMYxpxnemGE=; path=/; expires=Sun, 02-Oct-22 02:54:27 GMT; domain=.whatismyipaddress.com; HttpOnly; SameSite=None
Server: cloudflare
CF-RAY: 7539fb59680cb921-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttp://www.whatismyip.com/Remote address:172.67.189.152:80RequestGET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Date: Sun, 02 Oct 2022 02:24:28 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Sun, 02 Oct 2022 03:24:28 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=I%2FKWiFTDQFt3eEXekhWgpeo0hqcTeQydKZD%2F6StjbtJZzxyTnM0XMBJVmR2TW%2Fwsplw8y0eY1%2FN%2B2nwc1iNlpJtWCFbu1ESkSXaadSHSAeU142xUN9Q53uZoCVIc0%2FJ5Ettz8Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7539fb65287cb90f-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
DNSwww.imdb.comRemote address:8.8.8.8:53Requestwww.imdb.comIN AResponsewww.imdb.comIN CNAMEtp.391b988c0-frontier.imdb.comtp.391b988c0-frontier.imdb.comIN CNAMEd2bytcopxu066p.cloudfront.netd2bytcopxu066p.cloudfront.netIN A65.9.80.206
-
GEThttp://www.imdb.com/Remote address:65.9.80.206:80RequestGET / HTTP/1.1
Host: www.imdb.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 301 Moved Permanently
Server: CloudFront
Date: Sun, 02 Oct 2022 02:24:32 GMT
Content-Type: text/html
Content-Length: 167
Connection: close
Location: https://www.imdb.com/
X-Cache: Redirect from cloudfront
Via: 1.1 2bf8812c27f5e451eba4aef5c1aff6ae.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS1-C1
Alt-Svc: h3=":443"; ma=86400
X-Amz-Cf-Id: WsubBo8il-m-Z9kz8qsGZJ67cDaK88gbPaXXh8RYeGeFDWWWX61aSg==
-
DNSzhniyd.infoRemote address:8.8.8.8:53Requestzhniyd.infoIN AResponsezhniyd.infoIN A167.99.35.88
-
GEThttp://zhniyd.info/Remote address:167.99.35.88:80RequestGET / HTTP/1.1
Host: zhniyd.info
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 204 No Content
Server: nginx
Date: Sun, 02 Oct 2022 02:24:32 GMT
Connection: close
X-Sinkhole: Malware
-
DNSuuslfiqz.infoRemote address:8.8.8.8:53Requestuuslfiqz.infoIN AResponse
-
DNSdwscdkekw.netRemote address:8.8.8.8:53Requestdwscdkekw.netIN AResponsedwscdkekw.netIN A72.251.233.245
-
GEThttp://dwscdkekw.net/Remote address:72.251.233.245:80RequestGET / HTTP/1.1
Host: dwscdkekw.net
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Sun, 02 Oct 2022 02:24:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=140f0fc19014dc27ecee347ae0073864|154.61.71.50|1664677477|1664677477|0|1|0; path=/; domain=.dwscdkekw.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.50; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNShsswllivwr.netRemote address:8.8.8.8:53Requesthsswllivwr.netIN AResponse
-
DNScmkeoo.comRemote address:8.8.8.8:53Requestcmkeoo.comIN AResponsecmkeoo.comIN A173.231.189.15
-
GEThttp://cmkeoo.com/Remote address:173.231.189.15:80RequestGET / HTTP/1.1
Host: cmkeoo.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Sun, 02 Oct 2022 02:24:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=061ff6a4e02b11a5c6e616835c8d6674|154.61.71.50|1664677483|1664677483|0|1|0; path=/; domain=.cmkeoo.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.50; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNSvppkmfwptq.netRemote address:8.8.8.8:53Requestvppkmfwptq.netIN AResponse
-
DNSfcenhk.infoRemote address:8.8.8.8:53Requestfcenhk.infoIN AResponse
-
DNSaoyeuikawoyi.orgRemote address:8.8.8.8:53Requestaoyeuikawoyi.orgIN AResponse
-
DNSlphmgnvimw.infoRemote address:8.8.8.8:53Requestlphmgnvimw.infoIN AResponse
-
DNStuhkdrkz.netRemote address:8.8.8.8:53Requesttuhkdrkz.netIN AResponse
-
DNSbyrggkjz.netRemote address:8.8.8.8:53Requestbyrggkjz.netIN AResponse
-
DNSyqyukcee.comRemote address:8.8.8.8:53Requestyqyukcee.comIN AResponse
-
DNSmczqvohyt.netRemote address:8.8.8.8:53Requestmczqvohyt.netIN AResponse
-
DNSlbhffn.netRemote address:8.8.8.8:53Requestlbhffn.netIN AResponse
-
DNSoakmkicm.orgRemote address:8.8.8.8:53Requestoakmkicm.orgIN AResponse
-
DNSesswqagcmm.orgRemote address:8.8.8.8:53Requestesswqagcmm.orgIN AResponse
-
DNSbxuwamhalpb.netRemote address:8.8.8.8:53Requestbxuwamhalpb.netIN AResponse
-
DNSkxftipttnmrz.infoRemote address:8.8.8.8:53Requestkxftipttnmrz.infoIN AResponse
-
DNSqdhpvcjurie.netRemote address:8.8.8.8:53Requestqdhpvcjurie.netIN AResponse
-
188.114.97.0:80http://www.showmyipaddress.com/http
HTTP Request
GET http://www.showmyipaddress.com/HTTP Response
301 -
104.16.154.36:80http://whatismyipaddress.com/http
HTTP Request
GET http://whatismyipaddress.com/HTTP Response
403 -
172.67.189.152:80http://www.whatismyip.com/http
HTTP Request
GET http://www.whatismyip.com/HTTP Response
301 -
104.16.154.36:80http://whatismyipaddress.com/http
HTTP Request
GET http://whatismyipaddress.com/HTTP Response
403 -
172.67.189.152:80http://www.whatismyip.com/http
HTTP Request
GET http://www.whatismyip.com/HTTP Response
301 -
104.16.154.36:80http://whatismyipaddress.com/http
HTTP Request
GET http://whatismyipaddress.com/HTTP Response
403 -
188.114.97.0:80http://www.showmyipaddress.com/http
HTTP Request
GET http://www.showmyipaddress.com/HTTP Response
301 -
188.114.97.0:80http://www.showmyipaddress.com/http
HTTP Request
GET http://www.showmyipaddress.com/HTTP Response
301 -
188.114.97.0:80http://www.showmyipaddress.com/http
HTTP Request
GET http://www.showmyipaddress.com/HTTP Response
301 -
172.67.189.152:80http://www.whatismyip.com/http
HTTP Request
GET http://www.whatismyip.com/HTTP Response
301 -
104.16.154.36:80http://whatismyipaddress.com/http
HTTP Request
GET http://whatismyipaddress.com/HTTP Response
403 -
172.67.189.152:80http://www.whatismyip.com/http
HTTP Request
GET http://www.whatismyip.com/HTTP Response
301 -
172.67.189.152:80http://www.whatismyip.com/http
HTTP Request
GET http://www.whatismyip.com/HTTP Response
301 -
188.114.97.0:80http://www.showmyipaddress.com/http
HTTP Request
GET http://www.showmyipaddress.com/HTTP Response
301 -
104.16.154.36:80http://whatismyipaddress.com/http
HTTP Request
GET http://whatismyipaddress.com/HTTP Response
403 -
172.67.189.152:80http://www.whatismyip.com/http
HTTP Request
GET http://www.whatismyip.com/HTTP Response
301 -
65.9.80.206:80http://www.imdb.com/http
HTTP Request
GET http://www.imdb.com/HTTP Response
301 -
167.99.35.88:80http://zhniyd.info/http
HTTP Request
GET http://zhniyd.info/HTTP Response
204 -
72.251.233.245:80http://dwscdkekw.net/http
HTTP Request
GET http://dwscdkekw.net/HTTP Response
200 -
173.231.189.15:80http://cmkeoo.com/http
HTTP Request
GET http://cmkeoo.com/HTTP Response
200
-
8.8.8.8:53www.showmyipaddress.comdns
DNS Request
www.showmyipaddress.com
DNS Response
188.114.97.0188.114.96.0
-
8.8.8.8:53whatismyipaddress.comdns
DNS Request
whatismyipaddress.com
DNS Response
104.16.154.36104.16.155.36
-
8.8.8.8:53www.whatismyip.comdns
DNS Request
www.whatismyip.com
DNS Response
172.67.189.152104.21.89.158
-
8.8.8.8:53whatismyip.everdot.orgdns
DNS Request
whatismyip.everdot.org
-
8.8.8.8:53www.whatismyip.cadns
DNS Request
www.whatismyip.ca
-
8.8.8.8:53www.imdb.comdns
DNS Request
www.imdb.com
DNS Response
65.9.80.206
-
8.8.8.8:53zhniyd.infodns
DNS Request
zhniyd.info
DNS Response
167.99.35.88
-
8.8.8.8:53uuslfiqz.infodns
DNS Request
uuslfiqz.info
-
8.8.8.8:53dwscdkekw.netdns
DNS Request
dwscdkekw.net
DNS Response
72.251.233.245
-
8.8.8.8:53hsswllivwr.netdns
DNS Request
hsswllivwr.net
-
8.8.8.8:53cmkeoo.comdns
DNS Request
cmkeoo.com
DNS Response
173.231.189.15
-
8.8.8.8:53vppkmfwptq.netdns
DNS Request
vppkmfwptq.net
-
8.8.8.8:53fcenhk.infodns
DNS Request
fcenhk.info
-
8.8.8.8:53aoyeuikawoyi.orgdns
DNS Request
aoyeuikawoyi.org
-
8.8.8.8:53lphmgnvimw.infodns
DNS Request
lphmgnvimw.info
-
8.8.8.8:53tuhkdrkz.netdns
DNS Request
tuhkdrkz.net
-
8.8.8.8:53byrggkjz.netdns
DNS Request
byrggkjz.net
-
8.8.8.8:53yqyukcee.comdns
DNS Request
yqyukcee.com
-
8.8.8.8:53mczqvohyt.netdns
DNS Request
mczqvohyt.net
-
8.8.8.8:53lbhffn.netdns
DNS Request
lbhffn.net
-
8.8.8.8:53oakmkicm.orgdns
DNS Request
oakmkicm.org
-
8.8.8.8:53esswqagcmm.orgdns
DNS Request
esswqagcmm.org
-
8.8.8.8:53bxuwamhalpb.netdns
DNS Request
bxuwamhalpb.net
-
8.8.8.8:53kxftipttnmrz.infodns
DNS Request
kxftipttnmrz.info
-
8.8.8.8:53qdhpvcjurie.netdns
DNS Request
qdhpvcjurie.net
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
MD574ce3d4986eed31d94c20921a443bd11
SHA18eb03c80afb582d97283194e3a5b34d61f393de0
SHA256207662d4bbdc9ef1e12372284be43fe4b37697fd210a6831174010a869c185d5
SHA512fd6d32763b93f1e7893ccdf68d19193041c914dfc53305ea54e63817d3d419dcff81a61f5eeb7eee5a09e7aa4c86f6b35f6a3465f2a4c6a8fe7ecd118253ebe8
-
Filesize
712KB
MD574ce3d4986eed31d94c20921a443bd11
SHA18eb03c80afb582d97283194e3a5b34d61f393de0
SHA256207662d4bbdc9ef1e12372284be43fe4b37697fd210a6831174010a869c185d5
SHA512fd6d32763b93f1e7893ccdf68d19193041c914dfc53305ea54e63817d3d419dcff81a61f5eeb7eee5a09e7aa4c86f6b35f6a3465f2a4c6a8fe7ecd118253ebe8
-
Filesize
712KB
MD574ce3d4986eed31d94c20921a443bd11
SHA18eb03c80afb582d97283194e3a5b34d61f393de0
SHA256207662d4bbdc9ef1e12372284be43fe4b37697fd210a6831174010a869c185d5
SHA512fd6d32763b93f1e7893ccdf68d19193041c914dfc53305ea54e63817d3d419dcff81a61f5eeb7eee5a09e7aa4c86f6b35f6a3465f2a4c6a8fe7ecd118253ebe8
-
Filesize
712KB
MD574ce3d4986eed31d94c20921a443bd11
SHA18eb03c80afb582d97283194e3a5b34d61f393de0
SHA256207662d4bbdc9ef1e12372284be43fe4b37697fd210a6831174010a869c185d5
SHA512fd6d32763b93f1e7893ccdf68d19193041c914dfc53305ea54e63817d3d419dcff81a61f5eeb7eee5a09e7aa4c86f6b35f6a3465f2a4c6a8fe7ecd118253ebe8
-
Filesize
712KB
MD574ce3d4986eed31d94c20921a443bd11
SHA18eb03c80afb582d97283194e3a5b34d61f393de0
SHA256207662d4bbdc9ef1e12372284be43fe4b37697fd210a6831174010a869c185d5
SHA512fd6d32763b93f1e7893ccdf68d19193041c914dfc53305ea54e63817d3d419dcff81a61f5eeb7eee5a09e7aa4c86f6b35f6a3465f2a4c6a8fe7ecd118253ebe8
-
Filesize
712KB
MD574ce3d4986eed31d94c20921a443bd11
SHA18eb03c80afb582d97283194e3a5b34d61f393de0
SHA256207662d4bbdc9ef1e12372284be43fe4b37697fd210a6831174010a869c185d5
SHA512fd6d32763b93f1e7893ccdf68d19193041c914dfc53305ea54e63817d3d419dcff81a61f5eeb7eee5a09e7aa4c86f6b35f6a3465f2a4c6a8fe7ecd118253ebe8
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB