Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html
-
Size
124KB
-
MD5
16908f41dad6c5c7c8112f29c512ce93
-
SHA1
23cac5218fa35f9d5448715493be8dd798251271
-
SHA256
6273b3f1fbf34ce1e2c0075ff24dd875258f69c96fe95c0cec3b7e5762fd6865
-
SHA512
364b022e8d99b5463fdfd13349287415ca31e4fc0a5b6d3e518dfd9e94eedde8a88d3cd8743bcf67b4d6af6262a414c73f401477dbb7e2eb7c57c28cca0e95ec
-
SSDEEP
1536:U8cnGL1csWODWm6MSY0eoUHVZE6Oic1QXUPd:enA1csWKoUH1LXw
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1780 msedge.exe 1780 msedge.exe 2096 msedge.exe 2096 msedge.exe 4636 msedge.exe 4636 msedge.exe 4636 msedge.exe 4636 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1140 2096 msedge.exe 81 PID 2096 wrote to memory of 1140 2096 msedge.exe 81 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1708 2096 msedge.exe 82 PID 2096 wrote to memory of 1780 2096 msedge.exe 83 PID 2096 wrote to memory of 1780 2096 msedge.exe 83 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84 PID 2096 wrote to memory of 4068 2096 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa80746f8,0x7fffa8074708,0x7fffa80747182⤵PID:1140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:12⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7052680259057015608,155886022547389109,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5240 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3656
Network
-
Remote address:8.8.8.8:53Requestzglpw.ccIN AResponse
-
Remote address:8.8.8.8:53Requestzglpw.ccIN A
-
Remote address:8.8.8.8:53Requestjs.users.51.laIN AResponsejs.users.51.laIN CNAMEjs.users.51.la.w.cdngslb.comjs.users.51.la.w.cdngslb.comIN A79.133.176.222js.users.51.la.w.cdngslb.comIN A79.133.176.225js.users.51.la.w.cdngslb.comIN A79.133.176.223js.users.51.la.w.cdngslb.comIN A79.133.176.224js.users.51.la.w.cdngslb.comIN A79.133.176.219js.users.51.la.w.cdngslb.comIN A79.133.176.211js.users.51.la.w.cdngslb.comIN A79.133.176.166js.users.51.la.w.cdngslb.comIN A79.133.176.213
-
Remote address:79.133.176.222:80RequestGET /19806731.js HTTP/1.1
Host: js.users.51.la
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Type: application/javascript; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Thu, 27 Jun 2024 15:42:34 GMT
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Origin: *
Cache-Control: no-store
Access-Control-Allow-Credentials: true
Via: cache11.l2fr1[474,474,200-0,M], cache23.l2fr1[475,0], ens-cache11.gb6[506,505,200-0,M], ens-cache10.gb6[507,0]
Ali-Swift-Global-Savetime: 1719502954
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Thu, 27 Jun 2024 15:42:34 GMT
X-Swift-CacheTime: 0
Timing-Allow-Origin: *
EagleId: 4f85b09e17195029544011312e
-
Remote address:8.8.8.8:53Requestia.51.laIN AResponseia.51.laIN CNAMEia.51.la.trpcdn.netia.51.la.trpcdn.netIN CNAMEzcmcm.v.trpcdn.netzcmcm.v.trpcdn.netIN A104.166.160.226zcmcm.v.trpcdn.netIN A104.166.160.229zcmcm.v.trpcdn.netIN A104.166.160.228
-
GEThttp://ia.51.la/go1?id=19806731&rt=1719502954211&rl=1280*720&lang=en-US&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=24&ds=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1%25E7%25BC%25BA%25E4%25B9%258F%25E5%25AD%25A6%25E4%25B9%25A0%25EF%25BC%258C%25E9%2582%25A3%25E4%25BA%259B%25E5%25B9%25B4%25E6%2588%2591%25E4%25BB%25AC%25E8%2583%25BD%25E5%258A%259B%25E6%25B0%25B4%25E5%25B9%25B3%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF&ing=1&ekc=&sid=1719502954211&tt=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1_%25E7%25BD%2591%25E7%25BB%259C%25E5%2585%25BC%25E8%2581%258C%25E8%25B5%259A%25E9%2592%25B1&kw=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1&cu=file%253A%252F%252F%252FC%253A%252FUsers%252FAdmin%252FAppData%252FLocal%252FTemp%252F16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html&pu=msedge.exeRemote address:104.166.160.226:80RequestGET /go1?id=19806731&rt=1719502954211&rl=1280*720&lang=en-US&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=24&ds=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1%25E7%25BC%25BA%25E4%25B9%258F%25E5%25AD%25A6%25E4%25B9%25A0%25EF%25BC%258C%25E9%2582%25A3%25E4%25BA%259B%25E5%25B9%25B4%25E6%2588%2591%25E4%25BB%25AC%25E8%2583%25BD%25E5%258A%259B%25E6%25B0%25B4%25E5%25B9%25B3%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF&ing=1&ekc=&sid=1719502954211&tt=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1_%25E7%25BD%2591%25E7%25BB%259C%25E5%2585%25BC%25E8%2581%258C%25E8%25B5%259A%25E9%2592%25B1&kw=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1&cu=file%253A%252F%252F%252FC%253A%252FUsers%252FAdmin%252FAppData%252FLocal%252FTemp%252F16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html&pu= HTTP/1.1
Host: ia.51.la
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
X-Ser: BC199_lt-obgp-fujian-xiamen-33-cache-1, BC226_GB-london-london-3-cache-2
-
Remote address:8.8.8.8:53Request222.176.133.79.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestqm.qq.comIN AResponseqm.qq.comIN CNAMEins-9sprbbri.ias.tencent-cloud.netins-9sprbbri.ias.tencent-cloud.netIN A43.159.233.101ins-9sprbbri.ias.tencent-cloud.netIN A43.129.2.81
-
Remote address:43.159.233.101:80RequestGET /cgi-bin/qm/qr?k=hoOfPHEBqZ7MsJTpB4LBudI92s-IX5Jt HTTP/1.1
Host: qm.qq.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 302 Moved Temporarily
Date: Thu, 27 Jun 2024 15:42:36 GMT
Content-Type: text/html
Content-Length: 137
Connection: keep-alive
Location: https://qm.qq.com/cgi-bin/qm/qr?k=hoOfPHEBqZ7MsJTpB4LBudI92s-IX5Jt
-
Remote address:8.8.8.8:53Request226.160.166.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request226.160.166.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:43.159.233.101:443RequestGET /cgi-bin/qm/qr?k=hoOfPHEBqZ7MsJTpB4LBudI92s-IX5Jt HTTP/1.1
Host: qm.qq.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
Server: TAPISIX/2.2.2
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request101.233.159.43.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestp.iqun.qq.comIN AResponsep.iqun.qq.comIN CNAMEp.iqun.qq.com.cdn.dnsv1.com.cnp.iqun.qq.com.cdn.dnsv1.com.cnIN CNAME6xgc5hin.sched.sma-dk.tdnsstic1.cn6xgc5hin.sched.sma-dk.tdnsstic1.cnIN A42.177.83.876xgc5hin.sched.sma-dk.tdnsstic1.cnIN A114.112.216.1746xgc5hin.sched.sma-dk.tdnsstic1.cnIN A42.177.83.1156xgc5hin.sched.sma-dk.tdnsstic1.cnIN A42.177.83.1116xgc5hin.sched.sma-dk.tdnsstic1.cnIN A123.6.25.1996xgc5hin.sched.sma-dk.tdnsstic1.cnIN A14.205.47.1366xgc5hin.sched.sma-dk.tdnsstic1.cnIN A123.6.25.856xgc5hin.sched.sma-dk.tdnsstic1.cnIN A112.84.131.2196xgc5hin.sched.sma-dk.tdnsstic1.cnIN A42.177.83.826xgc5hin.sched.sma-dk.tdnsstic1.cnIN A116.153.46.406xgc5hin.sched.sma-dk.tdnsstic1.cnIN A42.177.83.2146xgc5hin.sched.sma-dk.tdnsstic1.cnIN A60.28.220.2466xgc5hin.sched.sma-dk.tdnsstic1.cnIN A42.177.83.134
-
Remote address:8.8.8.8:53Requestcgi.pub.qq.comIN AResponsecgi.pub.qq.comIN CNAMEins-05tp7vzl.ias.tencent-cloud.netins-05tp7vzl.ias.tencent-cloud.netIN A43.154.252.110
-
Remote address:8.8.8.8:53Requestisdspeed.qq.comIN AResponse
-
Remote address:8.8.8.8:53Requestp.qpic.cnIN AResponsep.qpic.cnIN A43.154.254.32p.qpic.cnIN A43.129.255.47
-
Remote address:43.154.254.32:443RequestGET /qqconadmin/0/b095d8d0ad144de3943f5dcba95a9624/0 HTTP/1.1
Host: p.qpic.cn
Connection: keep-alive
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://qm.qq.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Date: Thu, 27 Jun 2024 15:42:42 GMT
Content-Type: image/webp
Content-Length: 7556
Connection: keep-alive
Vary: Accept,Origin
Last-Modified: Fri, 26 May 2023 10:51:55 GMT
Cache-Control: max-age=2592000
X-Delay: 8467 us
X-Info: real data
X-BCheck: 0_1
X-Cpt: filename=0
User-ReturnCode: 0
X-DataSrc: 1
X-ReqGue: 0
Size: 7556
chid: 0
fid: 0
X-NWS-LOG-UUID: 17a35715-7232-40ee-a40a-ea380712fbaf
-
Remote address:43.154.252.110:443RequestGET /report/bnl?data=0,11780,0,pc HTTP/1.1
Host: cgi.pub.qq.com
Connection: keep-alive
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://qm.qq.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Date: Thu, 27 Jun 2024 15:42:42 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
-
Remote address:8.8.8.8:53Request32.254.154.43.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request110.252.154.43.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request101.58.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.112.168.52.in-addr.arpaIN PTRResponse
-
236 B 132 B 5 3
-
720 B 6.0kB 9 10
HTTP Request
GET http://js.users.51.la/19806731.jsHTTP Response
200 -
104.166.160.226:80http://ia.51.la/go1?id=19806731&rt=1719502954211&rl=1280*720&lang=en-US&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=24&ds=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1%25E7%25BC%25BA%25E4%25B9%258F%25E5%25AD%25A6%25E4%25B9%25A0%25EF%25BC%258C%25E9%2582%25A3%25E4%25BA%259B%25E5%25B9%25B4%25E6%2588%2591%25E4%25BB%25AC%25E8%2583%25BD%25E5%258A%259B%25E6%25B0%25B4%25E5%25B9%25B3%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF&ing=1&ekc=&sid=1719502954211&tt=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1_%25E7%25BD%2591%25E7%25BB%259C%25E5%2585%25BC%25E8%2581%258C%25E8%25B5%259A%25E9%2592%25B1&kw=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1&cu=file%253A%252F%252F%252FC%253A%252FUsers%252FAdmin%252FAppData%252FLocal%252FTemp%252F16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html&pu=httpmsedge.exe1.9kB 676 B 9 7
HTTP Request
GET http://ia.51.la/go1?id=19806731&rt=1719502954211&rl=1280*720&lang=en-US&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=24&ds=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1%25E7%25BC%25BA%25E4%25B9%258F%25E5%25AD%25A6%25E4%25B9%25A0%25EF%25BC%258C%25E9%2582%25A3%25E4%25BA%259B%25E5%25B9%25B4%25E6%2588%2591%25E4%25BB%25AC%25E8%2583%25BD%25E5%258A%259B%25E6%25B0%25B4%25E5%25B9%25B3%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF&ing=1&ekc=&sid=1719502954211&tt=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1_%25E7%25BD%2591%25E7%25BB%259C%25E5%2585%25BC%25E8%2581%258C%25E8%25B5%259A%25E9%2592%25B1&kw=%25E6%25A3%258B%25E7%2589%258C%25E6%25B8%25B8%25E6%2588%258F%25E6%2588%25BF%25E5%258D%25A1%25E7%2589%2588%25E6%2580%258E%25E4%25B9%2588%25E8%25B5%259A%25E9%2592%25B1&cu=file%253A%252F%252F%252FC%253A%252FUsers%252FAdmin%252FAppData%252FLocal%252FTemp%252F16908f41dad6c5c7c8112f29c512ce93_JaffaCakes118.html&pu=HTTP Response
200 -
811 B 582 B 7 5
HTTP Request
GET http://qm.qq.com/cgi-bin/qm/qr?k=hoOfPHEBqZ7MsJTpB4LBudI92s-IX5JtHTTP Response
302 -
236 B 184 B 5 4
-
236 B 184 B 5 4
-
2.0kB 6.0kB 17 14
-
43.159.233.101:443https://qm.qq.com/cgi-bin/qm/qr?k=hoOfPHEBqZ7MsJTpB4LBudI92s-IX5Jttls, httpmsedge.exe3.0kB 21.0kB 24 26
HTTP Request
GET https://qm.qq.com/cgi-bin/qm/qr?k=hoOfPHEBqZ7MsJTpB4LBudI92s-IX5JtHTTP Response
200 -
43.154.254.32:443https://p.qpic.cn/qqconadmin/0/b095d8d0ad144de3943f5dcba95a9624/0tls, httpmsedge.exe2.4kB 13.3kB 14 19
HTTP Request
GET https://p.qpic.cn/qqconadmin/0/b095d8d0ad144de3943f5dcba95a9624/0HTTP Response
200 -
1.0kB 479 B 10 7
-
1.8kB 5.8kB 12 15
HTTP Request
GET https://cgi.pub.qq.com/report/bnl?data=0,11780,0,pcHTTP Response
200 -
1.3kB 5.0kB 11 12
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
108 B 121 B 2 1
DNS Request
zglpw.cc
DNS Request
zglpw.cc
-
60 B 230 B 1 1
DNS Request
js.users.51.la
DNS Response
79.133.176.22279.133.176.22579.133.176.22379.133.176.22479.133.176.21979.133.176.21179.133.176.16679.133.176.213
-
54 B 157 B 1 1
DNS Request
ia.51.la
DNS Response
104.166.160.226104.166.160.229104.166.160.228
-
73 B 133 B 1 1
DNS Request
222.176.133.79.in-addr.arpa
-
55 B 135 B 1 1
DNS Request
qm.qq.com
DNS Response
43.159.233.10143.129.2.81
-
148 B 128 B 2 1
DNS Request
226.160.166.104.in-addr.arpa
DNS Request
226.160.166.104.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
104.219.191.52.in-addr.arpa
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
73 B 130 B 1 1
DNS Request
101.233.159.43.in-addr.arpa
-
59 B 357 B 1 1
DNS Request
p.iqun.qq.com
DNS Response
42.177.83.87114.112.216.17442.177.83.11542.177.83.111123.6.25.19914.205.47.136123.6.25.85112.84.131.21942.177.83.82116.153.46.4042.177.83.21460.28.220.24642.177.83.134
-
60 B 124 B 1 1
DNS Request
cgi.pub.qq.com
DNS Response
43.154.252.110
-
61 B 115 B 1 1
DNS Request
isdspeed.qq.com
-
55 B 87 B 1 1
DNS Request
p.qpic.cn
DNS Response
43.154.254.3243.129.255.47
-
382 B 6
-
72 B 129 B 1 1
DNS Request
32.254.154.43.in-addr.arpa
-
73 B 130 B 1 1
DNS Request
110.252.154.43.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
217.106.137.52.in-addr.arpa
DNS Request
217.106.137.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
142 B 145 B 2 1
DNS Request
206.23.85.13.in-addr.arpa
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
101.58.20.217.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
67.112.168.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
5KB
MD5496e74d483e73c43856c550fa194289d
SHA1eb54cff07bfaa92d0109ec93642e4b60c2a7d04a
SHA25691133de7b8585daf1ab4fad9fab48e708e642033919c59532ef3ab7fd7e14393
SHA512e53ab1ff8e43dff3d79f4223a58ed17b63d0ab44dde222c1982a4095ae00cfc1cd84c5d43f0aa08eca478c6280735f8e732ad4505e6ffe908cde654b78041213
-
Filesize
6KB
MD50df763f8ff24cf06735c7bad70b19813
SHA14c8cb25243738dadbc9c4453b7ccded3b9767156
SHA25624b13cd8776e7ff2344dca3d612305244ea9b2fc9a0cbbe8e7606a75cff813b7
SHA5124d73da3be9da7addaf623fd5ccf23031f472cbe59e9c1b23989f469637e1eef10a25b3dc5c64fff39a12e82d1f46281c711971f58003025846045107fa31e68d
-
Filesize
10KB
MD5e1eeffbc2b81f91bbb6a2634874819aa
SHA1e7529e8980bc7d4ad4e6ebbb4e2cc27d164c1714
SHA25621ff6c79698d301e7193d593ee8701d4d730554b16661a0fba0319f3605a5591
SHA512c61522a03b75ae863cdbdddbf25cc050fd698239d845e0408436b83c08199ea2dbdaa8fc03425ad21ec2b7da8eb0d1dbaa8c24c389943dcdfe75751c3ea52dab