32662428cf34b2d2889536e8795f2248f6ad4a4a7e092d370f2bc19491cfa87f

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 07:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

836e9b6892a31c06f42e7f49541629bb_JaffaCakes118.html
Size

70KB
MD5

836e9b6892a31c06f42e7f49541629bb
SHA1

6a6127dda1268d5eb18ae33b5d26987f668c6eee
SHA256

32662428cf34b2d2889536e8795f2248f6ad4a4a7e092d370f2bc19491cfa87f
SHA512

139046867689748741a420cb0806c8f8ca6cbb1d1c5ecf918b8ea61cbc60ff91d80c027463c20e1f145fd79e842cdf69a85fff67645ea44283ec998b3787ff03
SSDEEP

768:JiMlUcRlgcMWR3sI2PDDnd0g6/dxiwZOAwkyc8oTye1wCZkoTyMdtbBnfBgN8/lM:JGuRlxTvNen0tbrga90hcJNnspv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
512	msedge.exe
512	msedge.exe
1600	identity_helper.exe
1600	identity_helper.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 2320	512	msedge.exe	81
PID 512 wrote to memory of 2320	512	msedge.exe	81
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4744	512	msedge.exe	83
PID 512 wrote to memory of 4744	512	msedge.exe	83
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\836e9b6892a31c06f42e7f49541629bb_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd168946f8,0x7ffd16894708,0x7ffd16894718
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5636 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

www.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

img.sedoparking.com

msedge.exe

Remote address:

8.8.8.8:53

Request

img.sedoparking.com

IN A

Response

img.sedoparking.com

IN CNAME

sedo.cachefly.net

sedo.cachefly.net

IN CNAME

vip1.g5.cachefly.net

vip1.g5.cachefly.net

IN A

205.234.175.175
GET

http://www.google.com/adsense/domains/caf.js

msedge.exe

Remote address:

142.250.187.196:80

Request

GET /adsense/domains/caf.js HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/javascript; charset=UTF-8
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/ads-afs-ui
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="ads-afs-ui"
Report-To: {"group":"ads-afs-ui","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-afs-ui"}]}
Date: Thu, 30 May 2024 07:25:00 GMT
Expires: Thu, 30 May 2024 07:25:00 GMT
Cache-Control: private, max-age=3600
ETag: "6831774972803803414"
X-Content-Type-Options: nosniff
Link: <https://www.adsensecustomsearchads.com>; rel="preconnect"
Content-Encoding: gzip
Transfer-Encoding: chunked
Server: sffe
X-XSS-Protection: 0
GET

http://img.sedoparking.com/js/jquery-1.11.3.custom.min.js

msedge.exe

Remote address:

205.234.175.175:80

Request

GET /js/jquery-1.11.3.custom.min.js HTTP/1.1
Host: img.sedoparking.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Thu, 30 May 2024 07:25:00 GMT
Content-Type: application/x-javascript
Content-Length: 25176
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: max-age=86400
Expires: Fri, 31 May 2024 07:25:00 GMT
X-CFHash: "7dd2fc9525d32ef5c44abe9036c98ad1"
X-CFF: B
Last-Modified: Thu, 28 Jun 2018 13:09:28 GMT
Vary: Accept-Encoding
X-CF3: H
CF4Age: 0
x-cf-tsc: 1685886798
CF4ttl: 31536000.000
Content-Encoding: gzip
X-CF2: H
Accept-Ranges: bytes
Server: CFS 0215
X-CF-ReqID: 786c7249a9846c27df49cf456185f120
X-CF1: 11696:fF.lon1:cf:nom:cacheN.lon1-01:M
DNS

www.adsensecustomsearchads.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.adsensecustomsearchads.com

IN A

Response

www.adsensecustomsearchads.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

142.250.187.238
GET

https://www.adsensecustomsearchads.com/afs/ads?adsafe=low&adtest=off&channel=exp-0068%2Cexp-0051%2Cauxa-control-1%2C280059&client=dp-sedo80_3ph&r=m&sc_status=0&hl=en&rpbu=http%3A%2F%2Fhuntingandfishingusa.com%2Fcaf%2F%3Fses%3DY3JlPTE1Mzk5NjEwMzQmdGNpZD1odW50aW5nYW5kZmlzaGluZ3VzYS5jb201YmM5ZjBjYTFhZjc4NS4wODExNzM1OSZma2k9MCZ0YXNrPXNlYXJjaCZkb21haW49aHVudGluZ2FuZGZpc2hpbmd1c2EuY29tJmxhbmd1YWdlPWVuJmFfaWQ9MyZzZXNzaW9uPTh3d09FeTVjeHZ1Mkg2WG9xRHc5&type=3&uiopt=false&swp=as-drid-2516920716010336&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436&client_gdprApplies=0&format=r10%7Cs&nocache=7311717053899167&num=0&output=afd_ads&v=3&preload=true&bsl=8&pac=0&u_his=1&u_tz=0&dt=1717053899168&u_w=1280&u_h=720&biw=1280&bih=609&psw=1280&psh=102&frm=0&uio=--&cont=rb-default&drt=0&jsid=caf&jsv=635538657&rurl=file%3A%2F%2F%2FC%3A%2FUsers%2FAdmin%2FAppData%2FLocal%2FTemp%2F836e9b6892a31c06f42e7f49541629bb_JaffaCakes118.html

msedge.exe

Remote address:

142.250.187.238:443

Request

GET /afs/ads?adsafe=low&adtest=off&channel=exp-0068%2Cexp-0051%2Cauxa-control-1%2C280059&client=dp-sedo80_3ph&r=m&sc_status=0&hl=en&rpbu=http%3A%2F%2Fhuntingandfishingusa.com%2Fcaf%2F%3Fses%3DY3JlPTE1Mzk5NjEwMzQmdGNpZD1odW50aW5nYW5kZmlzaGluZ3VzYS5jb201YmM5ZjBjYTFhZjc4NS4wODExNzM1OSZma2k9MCZ0YXNrPXNlYXJjaCZkb21haW49aHVudGluZ2FuZGZpc2hpbmd1c2EuY29tJmxhbmd1YWdlPWVuJmFfaWQ9MyZzZXNzaW9uPTh3d09FeTVjeHZ1Mkg2WG9xRHc5&type=3&uiopt=false&swp=as-drid-2516920716010336&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436&client_gdprApplies=0&format=r10%7Cs&nocache=7311717053899167&num=0&output=afd_ads&v=3&preload=true&bsl=8&pac=0&u_his=1&u_tz=0&dt=1717053899168&u_w=1280&u_h=720&biw=1280&bih=609&psw=1280&psh=102&frm=0&uio=--&cont=rb-default&drt=0&jsid=caf&jsv=635538657&rurl=file%3A%2F%2F%2FC%3A%2FUsers%2FAdmin%2FAppData%2FLocal%2FTemp%2F836e9b6892a31c06f42e7f49541629bb_JaffaCakes118.html HTTP/2.0
host: www.adsensecustomsearchads.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.adsensecustomsearchads.com/afs/ads/i/iframe.html

msedge.exe

Remote address:

142.250.187.238:443

Request

GET /afs/ads/i/iframe.html HTTP/2.0
host: www.adsensecustomsearchads.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.adsensecustomsearchads.com/afs/ads/i/iframe.html

msedge.exe

Remote address:

142.250.187.238:443

Request

GET /afs/ads/i/iframe.html HTTP/2.0
host: www.adsensecustomsearchads.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
if-modified-since: Tue, 12 Mar 2024 06:00:00 GMT
GET

https://www.adsensecustomsearchads.com/adsense/domains/caf.js

msedge.exe

Remote address:

142.250.187.238:443

Request

GET /adsense/domains/caf.js HTTP/2.0
host: www.adsensecustomsearchads.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.adsensecustomsearchads.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

huntingandfishingusa.com

msedge.exe

Remote address:

8.8.8.8:53

Request

huntingandfishingusa.com

IN A

Response

huntingandfishingusa.com

IN A

76.223.67.189

huntingandfishingusa.com

IN A

13.248.213.45
GET

http://huntingandfishingusa.com/search/tsc.php?200=Mjg1NzgxNTAw&21=MTczLjI1NC4yMzMuMTM5&681=MTUzOTk2MTAzNDVkMWZkYjAxYjJhN2VjOTEyMjVkMjFlNGMyMjMzNjQw&crc=44f56dfd11837fba8039ba4f80e2d1ae71b0f515&cv=1

msedge.exe

Remote address:

76.223.67.189:80

Request

GET /search/tsc.php?200=Mjg1NzgxNTAw&21=MTczLjI1NC4yMzMuMTM5&681=MTUzOTk2MTAzNDVkMWZkYjAxYjJhN2VjOTEyMjVkMjFlNGMyMjMzNjQw&crc=44f56dfd11837fba8039ba4f80e2d1ae71b0f515&cv=1 HTTP/1.1
Host: huntingandfishingusa.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Origin: null
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: openresty
Date: Thu, 30 May 2024 07:25:00 GMT
Content-Type: text/html
Content-Length: 266
Connection: keep-alive
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

175.175.234.205.in-addr.arpa

Remote address:

8.8.8.8:53

Request

175.175.234.205.in-addr.arpa

IN PTR

Response

175.175.234.205.in-addr.arpa

IN PTR

vip1 G-anycast1cacheflynet
DNS

238.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.187.250.142.in-addr.arpa

IN PTR

Response

238.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f141e100net
DNS

189.67.223.76.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.67.223.76.in-addr.arpa

IN PTR

Response

189.67.223.76.in-addr.arpa

IN PTR

a67c48129651a0940awsglobalacceleratorcom
GET

http://huntingandfishingusa.com/search/fb.php?ses=1539961034b3ced08c397b42c9eb489748d14251e2,1539961034a35c9e5f06fc258d37ee93958d3d0586&ec=1

msedge.exe

Remote address:

76.223.67.189:80

Request

GET /search/fb.php?ses=1539961034b3ced08c397b42c9eb489748d14251e2,1539961034a35c9e5f06fc258d37ee93958d3d0586&ec=1 HTTP/1.1
Host: huntingandfishingusa.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Origin: null
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: openresty
Date: Thu, 30 May 2024 07:25:01 GMT
Content-Type: text/html
Content-Length: 209
Connection: keep-alive
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response

142.250.187.196:80

http://www.google.com/adsense/domains/caf.js

http

msedge.exe

1.9kB
77.4kB
35
61

HTTP Request

GET http://www.google.com/adsense/domains/caf.js

HTTP Response

200
205.234.175.175:80

http://img.sedoparking.com/js/jquery-1.11.3.custom.min.js

http

msedge.exe

1.1kB
26.8kB
16
25

HTTP Request

GET http://img.sedoparking.com/js/jquery-1.11.3.custom.min.js

HTTP Response

200
142.250.187.238:443

https://www.adsensecustomsearchads.com/adsense/domains/caf.js

tls, http2

msedge.exe

5.8kB
97.2kB
57
93

HTTP Request

GET https://www.adsensecustomsearchads.com/afs/ads?adsafe=low&adtest=off&channel=exp-0068%2Cexp-0051%2Cauxa-control-1%2C280059&client=dp-sedo80_3ph&r=m&sc_status=0&hl=en&rpbu=http%3A%2F%2Fhuntingandfishingusa.com%2Fcaf%2F%3Fses%3DY3JlPTE1Mzk5NjEwMzQmdGNpZD1odW50aW5nYW5kZmlzaGluZ3VzYS5jb201YmM5ZjBjYTFhZjc4NS4wODExNzM1OSZma2k9MCZ0YXNrPXNlYXJjaCZkb21haW49aHVudGluZ2FuZGZpc2hpbmd1c2EuY29tJmxhbmd1YWdlPWVuJmFfaWQ9MyZzZXNzaW9uPTh3d09FeTVjeHZ1Mkg2WG9xRHc5&type=3&uiopt=false&swp=as-drid-2516920716010336&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436&client_gdprApplies=0&format=r10%7Cs&nocache=7311717053899167&num=0&output=afd_ads&v=3&preload=true&bsl=8&pac=0&u_his=1&u_tz=0&dt=1717053899168&u_w=1280&u_h=720&biw=1280&bih=609&psw=1280&psh=102&frm=0&uio=--&cont=rb-default&drt=0&jsid=caf&jsv=635538657&rurl=file%3A%2F%2F%2FC%3A%2FUsers%2FAdmin%2FAppData%2FLocal%2FTemp%2F836e9b6892a31c06f42e7f49541629bb_JaffaCakes118.html

HTTP Request

GET https://www.adsensecustomsearchads.com/afs/ads/i/iframe.html

HTTP Request

GET https://www.adsensecustomsearchads.com/afs/ads/i/iframe.html

HTTP Request

GET https://www.adsensecustomsearchads.com/adsense/domains/caf.js
76.223.67.189:80

http://huntingandfishingusa.com/search/tsc.php?200=Mjg1NzgxNTAw&21=MTczLjI1NC4yMzMuMTM5&681=MTUzOTk2MTAzNDVkMWZkYjAxYjJhN2VjOTEyMjVkMjFlNGMyMjMzNjQw&crc=44f56dfd11837fba8039ba4f80e2d1ae71b0f515&cv=1

http

msedge.exe

715 B
583 B
5
4

HTTP Request

GET http://huntingandfishingusa.com/search/tsc.php?200=Mjg1NzgxNTAw&21=MTczLjI1NC4yMzMuMTM5&681=MTUzOTk2MTAzNDVkMWZkYjAxYjJhN2VjOTEyMjVkMjFlNGMyMjMzNjQw&crc=44f56dfd11837fba8039ba4f80e2d1ae71b0f515&cv=1

HTTP Response

200
76.223.67.189:80

http://huntingandfishingusa.com/search/fb.php?ses=1539961034b3ced08c397b42c9eb489748d14251e2,1539961034a35c9e5f06fc258d37ee93958d3d0586&ec=1

http

msedge.exe

657 B
526 B
5
4

HTTP Request

GET http://huntingandfishingusa.com/search/fb.php?ses=1539961034b3ced08c397b42c9eb489748d14251e2,1539961034a35c9e5f06fc258d37ee93958d3d0586&ec=1

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

www.google.com

dns

msedge.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

img.sedoparking.com

dns

msedge.exe

65 B
134 B
1
1

DNS Request

img.sedoparking.com

DNS Response

205.234.175.175
8.8.8.8:53

www.adsensecustomsearchads.com

dns

msedge.exe

76 B
120 B
1
1

DNS Request

www.adsensecustomsearchads.com

DNS Response

142.250.187.238
8.8.8.8:53

huntingandfishingusa.com

dns

msedge.exe

70 B
102 B
1
1

DNS Request

huntingandfishingusa.com

DNS Response

76.223.67.189

13.248.213.45
142.250.187.238:443

www.adsensecustomsearchads.com

https

msedge.exe

3.1kB
8.4kB
6
9
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.187.250.142.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

175.175.234.205.in-addr.arpa

dns

74 B
116 B
1
1

DNS Request

175.175.234.205.in-addr.arpa
8.8.8.8:53

238.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.187.250.142.in-addr.arpa
8.8.8.8:53

189.67.223.76.in-addr.arpa

dns

72 B
128 B
1
1

DNS Request

189.67.223.76.in-addr.arpa
224.0.0.251:5353

457 B
7
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6564522a9e60b268b8f36ae1da476b44

SHA1
4d35209d1425000f63fd0b67d6d464e7d5ee5638

SHA256
e5587793cead93b6b3bb3b5228fd5abce8bb5a6da663675177e4602356bef0cb

SHA512
c1610cfc6f5ed47aaefa5cf57c20476ceaca63f0e149e70417c111d7eea05d4064e58ad2875a59990379d8ca886a47bce2cee6e7d8f599d3c3f1bb9d25b37473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
410B

MD5
a887d3e3e32e7826c6c413b1e79dcc3e

SHA1
85461d77fd4df8a1babef7c2e7a133e1ba14d604

SHA256
19dd7a56d7298279d82a92ebd94ec996897e7a6edf08779dbce22df5f9b68158

SHA512
cf125906f9ed62ef671bf3ca7451bece2de06a32fb671ea64c1a89eb17439524da943e118af8385932fd5e622bc692d25329ddbe5fd9ea5a5deb09797d61e46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37dd824910365ae0cc7e306330305398

SHA1
f72155f41f5b9c8b161168acb857cab34d4f70ad

SHA256
0457effbac27234ec530ab6827c493c0d28298c43f8f1171185bd7b2213ec10a

SHA512
5a1627a5e489782eb2823819e5cd7b23f4fe719d0c609118085de0b15978005cc493e8e1ffbaf44f00f2657d30da36ba9e6609c9b1b65c74c2f35b39e17f71f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65242b5ba45035bb2aa446b2a77c42cd

SHA1
269b343f60e775638b5c8863f5425d122bbdfd35

SHA256
c2ae1c31feba9a4f1a5283bf31cbeaeeb48416afb577a147a10e2c7da477b857

SHA512
36e400cb130f9f93e7a9d95a35b2ed0c94ae0203811e04d153b98daf875a86a8070e739abc5da1bad819e19c46ac9f349209bd261beef07c01649dac9bfcc1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be58f3846b4119e334a5308af2fe15d0

SHA1
d2fdffbf3f245851258abd6c8c2de4a1f1b90f78

SHA256
4e07d0dc6c09c7c9b07ef51fa3198fed8cc04bce7d58b04ed5a0dcc37ad45bae

SHA512
6933754ce6537f8a2c1c9c67d02845b728221f269f464286c47f187298aa7da57a7fa7fe0620992d2bedde58d4bf8c0d22b5bc2c6c9fa7f70cb63fb915b80490

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.