Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 00:28 UTC

General

  • Target

    3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe

  • Size

    158KB

  • MD5

    3b51fab717e281580abca9c62aaa9685

  • SHA1

    74cd77630ace2fa629405f0665f34f1bb86419c1

  • SHA256

    3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

  • SHA512

    41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

  • SSDEEP

    3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:4336
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:4056
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:1088
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:4436
        • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
          C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3284
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:1576
            • C:\Windows\SysWOW64\sc.exe
              sc config wscsvc start= DISABLED
              3⤵
              • Launches sc.exe
              PID:2904
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                4⤵
                  PID:1704
              • C:\Windows\SysWOW64\sc.exe
                sc config SharedAccess start= DISABLED
                3⤵
                • Launches sc.exe
                PID:3108
              • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
                C:\Users\Admin\AppData\Local\Temp\rt04lto.exe -d716208E23EF9D708CB3A634430743C392DB8CDBD85E7C70E3559F88E78AED2BAA8D42B3684F8FEA06D19379885BBCBE3DD1EAD451AB1663A3A034E324F30C1B37C35C36C7971E90554158EC9609B959F6B5C410DA415FAFAEA58EE8659ADE7614017DECCF5EB0DBD1FD986D16CAF9ECBC875B68599C21B2C89AB145AE09F66D78492C96012501FCDB1807A2990552DAD26CB7A7AB44E9BCB970C3E616CB2A67B197C116C285C140D2B7C0852F769C759F69D398AECC99128D4D928A7C7834AAC106F8290D19D20DCEC9C0E9408992F67E957E0A57C3151DE42A1CF5FF93F38EFBA062A26E654BA0B9796A7366DA76B28EFDA9CB5DCAF71C5229272FA4CB794FFA84656FC800895210DEA310D0F46C1073999DBE2C6E9C55EF5C28BC348E5C4FEABE79364F7BCA79A6D534A351806B55939EF49F331B363517C4FDAADB6CF6D10D494AD14E539258E1AC0CDEEEF210BD7A083D3B158999FB7B75559FEA0AF73F775F6B2F52371845CB55CD8BC3E3FCA595E93A6F5B3390E6CE9A3481E4FE3FC181D29EF30CA93799A1D7BC944EEEE3691A5443004FBC986F8911C21474B446D7D9F14F1873290F9AC75E2
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4600
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "Security Center"
                  4⤵
                    PID:1700
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Security Center"
                      5⤵
                        PID:3600
                    • C:\Windows\SysWOW64\sc.exe
                      sc config wscsvc start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:3276
                    • C:\Windows\SysWOW64\net.exe
                      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      4⤵
                        PID:4504
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                          5⤵
                            PID:4480
                        • C:\Windows\SysWOW64\sc.exe
                          sc config SharedAccess start= DISABLED
                          4⤵
                          • Launches sc.exe
                          PID:3296
                    • C:\Windows\SysWOW64\Rundll32.exe
                      Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                      2⤵
                      • Adds Run key to start application
                      • Suspicious use of WriteProcessMemory
                      PID:956
                      • C:\Windows\SysWOW64\runonce.exe
                        "C:\Windows\system32\runonce.exe" -r
                        3⤵
                        • Checks processor information in registry
                        • Suspicious use of WriteProcessMemory
                        PID:3888
                        • C:\Windows\SysWOW64\grpconv.exe
                          "C:\Windows\System32\grpconv.exe" -o
                          4⤵
                            PID:3364
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat
                        2⤵
                          PID:456

                      Network

                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        tse1.mm.bing.net
                        Remote address:
                        8.8.8.8:53
                        Request
                        tse1.mm.bing.net
                        IN A
                        Response
                        tse1.mm.bing.net
                        IN CNAME
                        mm-mm.bing.net.trafficmanager.net
                        mm-mm.bing.net.trafficmanager.net
                        IN CNAME
                        ax-0001.ax-msedge.net
                        ax-0001.ax-msedge.net
                        IN A
                        150.171.27.10
                        ax-0001.ax-msedge.net
                        IN A
                        150.171.28.10
                      • flag-us
                        GET
                        https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                        Remote address:
                        150.171.27.10:443
                        Request
                        GET /th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                        host: tse1.mm.bing.net
                        accept: */*
                        accept-encoding: gzip, deflate, br
                        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                        Response
                        HTTP/2.0 200
                        cache-control: public, max-age=2592000
                        content-length: 944920
                        content-type: image/jpeg
                        x-cache: TCP_HIT
                        access-control-allow-origin: *
                        access-control-allow-headers: *
                        access-control-allow-methods: GET, POST, OPTIONS
                        timing-allow-origin: *
                        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: 8C456DB8E1584D2F99D0AEEAECDDD60C Ref B: LON04EDGE0806 Ref C: 2024-07-12T00:29:02Z
                        date: Fri, 12 Jul 2024 00:29:01 GMT
                      • flag-us
                        GET
                        https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                        Remote address:
                        150.171.27.10:443
                        Request
                        GET /th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                        host: tse1.mm.bing.net
                        accept: */*
                        accept-encoding: gzip, deflate, br
                        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                        Response
                        HTTP/2.0 200
                        cache-control: public, max-age=2592000
                        content-length: 495209
                        content-type: image/jpeg
                        x-cache: TCP_HIT
                        access-control-allow-origin: *
                        access-control-allow-headers: *
                        access-control-allow-methods: GET, POST, OPTIONS
                        timing-allow-origin: *
                        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: 6DFF58AA67B2468B987988076C6941A0 Ref B: LON04EDGE0806 Ref C: 2024-07-12T00:29:02Z
                        date: Fri, 12 Jul 2024 00:29:01 GMT
                      • flag-us
                        DNS
                        8.8.8.8.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        8.8.8.8.in-addr.arpa
                        IN PTR
                        Response
                        8.8.8.8.in-addr.arpa
                        IN PTR
                        dnsgoogle
                      • flag-us
                        DNS
                        14.160.190.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        14.160.190.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        10.160.77.104.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        10.160.77.104.in-addr.arpa
                        IN PTR
                        Response
                        10.160.77.104.in-addr.arpa
                        IN PTR
                        a104-77-160-10deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        g.bing.com
                        Remote address:
                        8.8.8.8:53
                        Request
                        g.bing.com
                        IN A
                        Response
                        g.bing.com
                        IN CNAME
                        g-bing-com.dual-a-0034.a-msedge.net
                        g-bing-com.dual-a-0034.a-msedge.net
                        IN CNAME
                        dual-a-0034.a-msedge.net
                        dual-a-0034.a-msedge.net
                        IN A
                        13.107.21.237
                        dual-a-0034.a-msedge.net
                        IN A
                        204.79.197.237
                      • flag-us
                        GET
                        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
                        Remote address:
                        13.107.21.237:443
                        Request
                        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
                        host: g.bing.com
                        accept-encoding: gzip, deflate
                        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                        Response
                        HTTP/2.0 204
                        cache-control: no-cache, must-revalidate
                        pragma: no-cache
                        expires: Fri, 01 Jan 1990 00:00:00 GMT
                        set-cookie: MUID=0F99AC62B6C16AF22F5DB8D8B7216BEF; domain=.bing.com; expires=Wed, 06-Aug-2025 00:29:02 GMT; path=/; SameSite=None; Secure; Priority=High;
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        access-control-allow-origin: *
                        x-cache: CONFIG_NOCACHE
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: 8840C75406204713865EE28562D19DB6 Ref B: LON04EDGE1121 Ref C: 2024-07-12T00:29:02Z
                        date: Fri, 12 Jul 2024 00:29:02 GMT
                      • flag-us
                        GET
                        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
                        Remote address:
                        13.107.21.237:443
                        Request
                        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
                        host: g.bing.com
                        accept-encoding: gzip, deflate
                        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                        cookie: MUID=0F99AC62B6C16AF22F5DB8D8B7216BEF
                        Response
                        HTTP/2.0 204
                        cache-control: no-cache, must-revalidate
                        pragma: no-cache
                        expires: Fri, 01 Jan 1990 00:00:00 GMT
                        set-cookie: MSPTC=JvIPpHxe4C_Fd4YnmZP8drv2XzDw_auAN6vSM_JisVg; domain=.bing.com; expires=Wed, 06-Aug-2025 00:29:02 GMT; path=/; Partitioned; secure; SameSite=None
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        access-control-allow-origin: *
                        x-cache: CONFIG_NOCACHE
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: 1886A3C1704D4D82949F8300CD4EE4DC Ref B: LON04EDGE1121 Ref C: 2024-07-12T00:29:02Z
                        date: Fri, 12 Jul 2024 00:29:02 GMT
                      • flag-us
                        GET
                        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
                        Remote address:
                        13.107.21.237:443
                        Request
                        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
                        host: g.bing.com
                        accept-encoding: gzip, deflate
                        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                        cookie: MUID=0F99AC62B6C16AF22F5DB8D8B7216BEF; MSPTC=JvIPpHxe4C_Fd4YnmZP8drv2XzDw_auAN6vSM_JisVg
                        Response
                        HTTP/2.0 204
                        cache-control: no-cache, must-revalidate
                        pragma: no-cache
                        expires: Fri, 01 Jan 1990 00:00:00 GMT
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        access-control-allow-origin: *
                        x-cache: CONFIG_NOCACHE
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: B3CBB8821AAE4FB1A3A1B88A30CCE07D Ref B: LON04EDGE1121 Ref C: 2024-07-12T00:29:02Z
                        date: Fri, 12 Jul 2024 00:29:02 GMT
                      • flag-us
                        DNS
                        237.21.107.13.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        237.21.107.13.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        157.123.68.40.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        157.123.68.40.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        171.39.242.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        171.39.242.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        217.135.221.88.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        217.135.221.88.in-addr.arpa
                        IN PTR
                        Response
                        217.135.221.88.in-addr.arpa
                        IN PTR
                        a88-221-135-217deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        w.nucleardiscover.com
                        rt04lto.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        w.nucleardiscover.com
                        IN A
                        Response
                      • flag-us
                        DNS
                        240.221.184.93.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        240.221.184.93.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        11.227.111.52.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        11.227.111.52.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        104.193.132.51.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        104.193.132.51.in-addr.arpa
                        IN PTR
                        Response
                      • 150.171.27.10:443
                        tse1.mm.bing.net
                        tls, http2
                        1.2kB
                        6.9kB
                        15
                        13
                      • 150.171.27.10:443
                        https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                        tls, http2
                        58.4kB
                        1.5MB
                        1089
                        1085

                        HTTP Request

                        GET https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                        HTTP Request

                        GET https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                        HTTP Response

                        200

                        HTTP Response

                        200
                      • 13.107.21.237:443
                        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
                        tls, http2
                        2.0kB
                        9.3kB
                        21
                        18

                        HTTP Request

                        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

                        HTTP Response

                        204

                        HTTP Request

                        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

                        HTTP Response

                        204

                        HTTP Request

                        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

                        HTTP Response

                        204
                      • 8.8.8.8:53
                        w.nucleardiscover.com
                        dns
                        rt04lto.exe
                        268 B
                        268 B
                        4
                        4

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                      • 8.8.8.8:53
                        tse1.mm.bing.net
                        dns
                        62 B
                        170 B
                        1
                        1

                        DNS Request

                        tse1.mm.bing.net

                        DNS Response

                        150.171.27.10
                        150.171.28.10

                      • 8.8.8.8:53
                        8.8.8.8.in-addr.arpa
                        dns
                        66 B
                        90 B
                        1
                        1

                        DNS Request

                        8.8.8.8.in-addr.arpa

                      • 8.8.8.8:53
                        14.160.190.20.in-addr.arpa
                        dns
                        72 B
                        158 B
                        1
                        1

                        DNS Request

                        14.160.190.20.in-addr.arpa

                      • 8.8.8.8:53
                        10.160.77.104.in-addr.arpa
                        dns
                        72 B
                        137 B
                        1
                        1

                        DNS Request

                        10.160.77.104.in-addr.arpa

                      • 8.8.8.8:53
                        g.bing.com
                        dns
                        56 B
                        151 B
                        1
                        1

                        DNS Request

                        g.bing.com

                        DNS Response

                        13.107.21.237
                        204.79.197.237

                      • 8.8.8.8:53
                        237.21.107.13.in-addr.arpa
                        dns
                        72 B
                        158 B
                        1
                        1

                        DNS Request

                        237.21.107.13.in-addr.arpa

                      • 8.8.8.8:53
                        w.nucleardiscover.com
                        dns
                        rt04lto.exe
                        268 B
                        268 B
                        4
                        4

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                      • 8.8.8.8:53
                        w.nucleardiscover.com
                        dns
                        rt04lto.exe
                        268 B
                        268 B
                        4
                        4

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                      • 8.8.8.8:53
                        157.123.68.40.in-addr.arpa
                        dns
                        72 B
                        146 B
                        1
                        1

                        DNS Request

                        157.123.68.40.in-addr.arpa

                      • 8.8.8.8:53
                        w.nucleardiscover.com
                        dns
                        rt04lto.exe
                        268 B
                        268 B
                        4
                        4

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                      • 8.8.8.8:53
                        171.39.242.20.in-addr.arpa
                        dns
                        72 B
                        158 B
                        1
                        1

                        DNS Request

                        171.39.242.20.in-addr.arpa

                      • 8.8.8.8:53
                        217.135.221.88.in-addr.arpa
                        dns
                        73 B
                        139 B
                        1
                        1

                        DNS Request

                        217.135.221.88.in-addr.arpa

                      • 8.8.8.8:53
                        w.nucleardiscover.com
                        dns
                        rt04lto.exe
                        268 B
                        268 B
                        4
                        4

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                      • 8.8.8.8:53
                        w.nucleardiscover.com
                        dns
                        rt04lto.exe
                        268 B
                        268 B
                        4
                        4

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                        DNS Request

                        w.nucleardiscover.com

                      • 8.8.8.8:53
                        240.221.184.93.in-addr.arpa
                        dns
                        73 B
                        144 B
                        1
                        1

                        DNS Request

                        240.221.184.93.in-addr.arpa

                      • 8.8.8.8:53
                        11.227.111.52.in-addr.arpa
                        dns
                        72 B
                        158 B
                        1
                        1

                        DNS Request

                        11.227.111.52.in-addr.arpa

                      • 8.8.8.8:53
                        104.193.132.51.in-addr.arpa
                        dns
                        73 B
                        159 B
                        1
                        1

                        DNS Request

                        104.193.132.51.in-addr.arpa

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat

                        Filesize

                        218B

                        MD5

                        bc686b5b5dfc9fe33f1b9298988ffea4

                        SHA1

                        0f4aa7406da22b81e1e8c0413ede8f4d6077e063

                        SHA256

                        134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816

                        SHA512

                        6b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335

                      • C:\Users\Admin\AppData\Local\Temp\mdinstall.inf

                        Filesize

                        413B

                        MD5

                        ce1f2d7c8e36f3c085a5d281b9ebeb2f

                        SHA1

                        bbbfae948d625afe50f66f34282bda3974cfdce5

                        SHA256

                        312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

                        SHA512

                        89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

                      • C:\Users\Admin\AppData\Local\Temp\rt04lto.exe

                        Filesize

                        158KB

                        MD5

                        3b51fab717e281580abca9c62aaa9685

                        SHA1

                        74cd77630ace2fa629405f0665f34f1bb86419c1

                        SHA256

                        3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

                        SHA512

                        41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

                      • memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/3284-7-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/3284-22-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/4600-23-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      • memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp

                        Filesize

                        168KB

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.