Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 11:31 UTC

General

  • Target

    49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe

  • Size

    733KB

  • MD5

    49977ea91effefa69e91faaf406309c4

  • SHA1

    29fdbe1a0ee9d6c7aa9499f3a70ef9bffcea3dab

  • SHA256

    ca1d43c7df11837f12a37594e204bf75d59c40af5b8d24e6944f24a20a52577e

  • SHA512

    27a4edf9e8b9962e6b50c3ad6d2fb353c09053d17032973c74fe2ffa526d94f1e9090ffc0023e5c7ab2ea5775861188bbc5eaf77ad014852479d41891caa070f

  • SSDEEP

    12288:13Fpj4rBRLukn+zKg2oOR2OQl5xAdmxQDgGeItGBV07XpWZhASRXHYnrmc:1VpUFRUgoOwOY5xAqQlFtWVAqRXHYrmc

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"
      2⤵
        PID:4196
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
        2⤵
          PID:1996
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3204
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:4728
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1760
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1928

      Network

      • flag-us
        DNS
        73.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        www.directdownloader.com
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        www.directdownloader.com
        IN A
        Response
        www.directdownloader.com
        IN A
        162.255.119.249
      • flag-us
        GET
        http://www.directdownloader.com/stub/stub_ddlr.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        162.255.119.249:80
        Request
        GET /stub/stub_ddlr.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.directdownloader.com
        Response
        HTTP/1.1 302 Found
        Date: Mon, 15 Jul 2024 11:31:18 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 102
        Connection: keep-alive
        Location: http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe
        X-Served-By: Namecheap URL Forward
        Server: namecheap-nginx
      • flag-us
        GET
        http://www.directdownloader.com/stub/OpenCL.dll
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        162.255.119.249:80
        Request
        GET /stub/OpenCL.dll HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.directdownloader.com
        Response
        HTTP/1.1 302 Found
        Date: Mon, 15 Jul 2024 11:31:19 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 99
        Connection: keep-alive
        Location: http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll
        X-Served-By: Namecheap URL Forward
        Server: namecheap-nginx
      • flag-us
        GET
        http://www.directdownloader.com/toolbars/BitAcceleratorDDLRinstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        162.255.119.249:80
        Request
        GET /toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.directdownloader.com
        Response
        HTTP/1.1 302 Found
        Date: Mon, 15 Jul 2024 11:31:20 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 124
        Connection: keep-alive
        Location: http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        X-Served-By: Namecheap URL Forward
        Server: namecheap-nginx
      • flag-us
        GET
        http://www.directdownloader.com/toolbars/optimizer.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        162.255.119.249:80
        Request
        GET /toolbars/optimizer.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.directdownloader.com
        Response
        HTTP/1.1 302 Found
        Date: Mon, 15 Jul 2024 11:31:20 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 106
        Connection: keep-alive
        Location: http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe
        X-Served-By: Namecheap URL Forward
        Server: namecheap-nginx
      • flag-us
        GET
        http://www.directdownloader.com/DirectDownloaderInstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        162.255.119.249:80
        Request
        GET /DirectDownloaderInstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.directdownloader.com
        Response
        HTTP/1.1 302 Found
        Date: Mon, 15 Jul 2024 11:31:20 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 113
        Connection: keep-alive
        Location: http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe
        X-Served-By: Namecheap URL Forward
        Server: namecheap-nginx
      • flag-us
        DNS
        www.google.com
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        www.google.com
        IN A
        Response
        www.google.com
        IN A
        142.250.180.4
      • flag-gb
        GET
        http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET /enterprise/apps/business/products.html/stub/stub_ddlr.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.google.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 273
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:05 GMT
        Expires: Mon, 15 Jul 2024 11:47:05 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
      • flag-gb
        GET
        http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET /enterprise/apps/business/products.html/stub/OpenCL.dll HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.google.com
        Connection: Keep-Alive
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://enterprise.google.com/apps/business/products.html/stub/OpenCL.dll
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 270
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:06 GMT
        Expires: Mon, 15 Jul 2024 11:47:06 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
      • flag-gb
        GET
        http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET /enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.google.com
        Connection: Keep-Alive
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 295
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:31:18 GMT
        Expires: Mon, 15 Jul 2024 12:01:18 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 2
      • flag-gb
        GET
        http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET /enterprise/apps/business/products.html/toolbars/optimizer.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.google.com
        Connection: Keep-Alive
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 277
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:07 GMT
        Expires: Mon, 15 Jul 2024 11:47:07 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
      • flag-gb
        GET
        http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        142.250.180.4:80
        Request
        GET /enterprise/apps/business/products.html/DirectDownloaderInstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Host: www.google.com
        Connection: Keep-Alive
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 284
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:08 GMT
        Expires: Mon, 15 Jul 2024 11:47:08 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 852
      • flag-us
        DNS
        enterprise.google.com
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        enterprise.google.com
        IN A
        Response
        enterprise.google.com
        IN CNAME
        www3.l.google.com
        www3.l.google.com
        IN A
        172.217.169.78
      • flag-gb
        GET
        https://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        172.217.169.78:443
        Request
        GET /apps/business/products.html/stub/stub_ddlr.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: enterprise.google.com
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://gsuite.google.com/products.html/stub/stub_ddlr.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 255
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:06 GMT
        Expires: Mon, 15 Jul 2024 11:47:06 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://enterprise.google.com/apps/business/products.html/stub/OpenCL.dll
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        172.217.169.78:443
        Request
        GET /apps/business/products.html/stub/OpenCL.dll HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: enterprise.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://gsuite.google.com/products.html/stub/OpenCL.dll
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 252
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:06 GMT
        Expires: Mon, 15 Jul 2024 11:47:06 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        172.217.169.78:443
        Request
        GET /apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: enterprise.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 277
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:31:18 GMT
        Expires: Mon, 15 Jul 2024 12:01:18 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 2
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        172.217.169.78:443
        Request
        GET /apps/business/products.html/toolbars/optimizer.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: enterprise.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://gsuite.google.com/products.html/toolbars/optimizer.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 259
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:07 GMT
        Expires: Mon, 15 Jul 2024 11:47:07 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        172.217.169.78:443
        Request
        GET /apps/business/products.html/DirectDownloaderInstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: enterprise.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe
        Cross-Origin-Resource-Policy: cross-origin
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 266
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:08 GMT
        Expires: Mon, 15 Jul 2024 11:47:08 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 852
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        205.47.74.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        205.47.74.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        249.119.255.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        249.119.255.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        4.180.250.142.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        4.180.250.142.in-addr.arpa
        IN PTR
        Response
        4.180.250.142.in-addr.arpa
        IN PTR
        lhr25s32-in-f41e100net
      • flag-us
        DNS
        c.pki.goog
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        c.pki.goog
        IN A
        Response
        c.pki.goog
        IN CNAME
        pki-goog.l.google.com
        pki-goog.l.google.com
        IN A
        216.58.201.99
      • flag-gb
        GET
        http://c.pki.goog/r/r1.crl
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.201.99:80
        Request
        GET /r/r1.crl HTTP/1.1
        Connection: Keep-Alive
        Accept: */*
        User-Agent: Microsoft-CryptoAPI/10.0
        Host: c.pki.goog
        Response
        HTTP/1.1 200 OK
        Accept-Ranges: bytes
        Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
        Cross-Origin-Resource-Policy: cross-origin
        Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
        Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
        Content-Length: 854
        X-Content-Type-Options: nosniff
        Server: sffe
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:05:37 GMT
        Expires: Mon, 15 Jul 2024 11:55:37 GMT
        Cache-Control: public, max-age=3000
        Age: 1542
        Last-Modified: Wed, 01 Nov 2023 07:48:00 GMT
        Content-Type: application/pkix-crl
        Vary: Accept-Encoding
      • flag-us
        DNS
        o.pki.goog
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        o.pki.goog
        IN A
        Response
        o.pki.goog
        IN CNAME
        pki-goog.l.google.com
        pki-goog.l.google.com
        IN A
        216.58.201.99
      • flag-gb
        GET
        http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.201.99:80
        Request
        GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94 HTTP/1.1
        Connection: Keep-Alive
        Accept: */*
        User-Agent: Microsoft-CryptoAPI/10.0
        Host: o.pki.goog
        Response
        HTTP/1.1 200 OK
        Server: ocsp_responder
        Content-Length: 472
        X-XSS-Protection: 0
        X-Frame-Options: SAMEORIGIN
        Date: Mon, 15 Jul 2024 10:46:38 GMT
        Cache-Control: public, max-age=14400
        Content-Type: application/ocsp-response
        Age: 2681
      • flag-us
        DNS
        gsuite.google.com
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        gsuite.google.com
        IN A
        Response
        gsuite.google.com
        IN A
        216.58.204.78
      • flag-gb
        GET
        https://gsuite.google.com/products.html/stub/stub_ddlr.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.204.78:443
        Request
        GET /products.html/stub/stub_ddlr.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: gsuite.google.com
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://workspace.google.com/products.html/stub/stub_ddlr.exe
        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 258
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:06 GMT
        Expires: Mon, 15 Jul 2024 11:47:06 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://gsuite.google.com/products.html/stub/OpenCL.dll
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.204.78:443
        Request
        GET /products.html/stub/OpenCL.dll HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: gsuite.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://workspace.google.com/products.html/stub/OpenCL.dll
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 255
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:07 GMT
        Expires: Mon, 15 Jul 2024 11:47:07 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 852
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.204.78:443
        Request
        GET /products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: gsuite.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 280
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:31:18 GMT
        Expires: Mon, 15 Jul 2024 12:01:18 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 2
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://gsuite.google.com/products.html/toolbars/optimizer.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.204.78:443
        Request
        GET /products.html/toolbars/optimizer.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: gsuite.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://workspace.google.com/products.html/toolbars/optimizer.exe
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 262
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:07 GMT
        Expires: Mon, 15 Jul 2024 11:47:07 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 853
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.204.78:443
        Request
        GET /products.html/DirectDownloaderInstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: gsuite.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 301 Moved Permanently
        Location: https://workspace.google.com/products.html/DirectDownloaderInstaller.exe
        X-Content-Type-Options: nosniff
        Server: sffe
        Content-Length: 269
        X-XSS-Protection: 0
        Date: Mon, 15 Jul 2024 11:17:08 GMT
        Expires: Mon, 15 Jul 2024 11:47:08 GMT
        Cache-Control: public, max-age=1800
        Content-Type: text/html; charset=UTF-8
        Age: 852
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        workspace.google.com
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        workspace.google.com
        IN A
        Response
        workspace.google.com
        IN A
        216.58.201.110
      • flag-gb
        GET
        https://workspace.google.com/products.html/stub/stub_ddlr.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.201.110:443
        Request
        GET /products.html/stub/stub_ddlr.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: workspace.google.com
        Response
        HTTP/1.1 404 Not Found
        Cross-Origin-Resource-Policy: cross-origin
        Content-Type: text/html; charset=ISO-8859-1
        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
        X-Content-Type-Options: nosniff
        Date: Mon, 15 Jul 2024 11:31:19 GMT
        Server: sffe
        Content-Length: 159708
        X-XSS-Protection: 0
        Set-Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E; expires=Tue, 14-Jan-2025 11:31:19 GMT; path=/; domain=.google.com; HttpOnly
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://workspace.google.com/products.html/stub/OpenCL.dll
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.201.110:443
        Request
        GET /products.html/stub/OpenCL.dll HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: workspace.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 404 Not Found
        Cross-Origin-Resource-Policy: cross-origin
        Content-Type: text/html; charset=ISO-8859-1
        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
        X-Content-Type-Options: nosniff
        Date: Mon, 15 Jul 2024 11:31:20 GMT
        Server: sffe
        Content-Length: 159708
        X-XSS-Protection: 0
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.201.110:443
        Request
        GET /products.html/toolbars/BitAcceleratorDDLRinstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: workspace.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 404 Not Found
        Cross-Origin-Resource-Policy: cross-origin
        Content-Type: text/html; charset=ISO-8859-1
        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
        X-Content-Type-Options: nosniff
        Date: Mon, 15 Jul 2024 11:31:20 GMT
        Server: sffe
        Content-Length: 159708
        X-XSS-Protection: 0
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://workspace.google.com/products.html/toolbars/optimizer.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.201.110:443
        Request
        GET /products.html/toolbars/optimizer.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: workspace.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 404 Not Found
        Cross-Origin-Resource-Policy: cross-origin
        Content-Type: text/html; charset=ISO-8859-1
        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
        X-Content-Type-Options: nosniff
        Date: Mon, 15 Jul 2024 11:31:20 GMT
        Server: sffe
        Content-Length: 159708
        X-XSS-Protection: 0
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-gb
        GET
        https://workspace.google.com/products.html/DirectDownloaderInstaller.exe
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        Remote address:
        216.58.201.110:443
        Request
        GET /products.html/DirectDownloaderInstaller.exe HTTP/1.1
        Range: bytes=0-
        User-Agent: downloader
        Connection: Keep-Alive
        Host: workspace.google.com
        Cookie: NID=515=K82wZoKV28XBOJrg9iPxFFxaT5Fw4Trcf2FlfvhzlwvuWRWLst_cRD2rJaD1AEn1CIsE2_32MLB0q6DyfzmmNFOOydY3ZeW1wiFXqMPKOhFsAz4KQsKjamDbCQCvcWUbwO5kArpTA45BA-oQzz2qcbBYX2ubyQuj7uqo9HjiV_E
        Response
        HTTP/1.1 404 Not Found
        Cross-Origin-Resource-Policy: cross-origin
        Content-Type: text/html; charset=ISO-8859-1
        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
        X-Content-Type-Options: nosniff
        Date: Mon, 15 Jul 2024 11:31:20 GMT
        Server: sffe
        Content-Length: 159708
        X-XSS-Protection: 0
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        78.169.217.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        78.169.217.172.in-addr.arpa
        IN PTR
        Response
        78.169.217.172.in-addr.arpa
        IN PTR
        lhr48s09-in-f141e100net
      • flag-us
        DNS
        78.204.58.216.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        78.204.58.216.in-addr.arpa
        IN PTR
        Response
        78.204.58.216.in-addr.arpa
        IN PTR
        lhr25s13-in-f781e100net
        78.204.58.216.in-addr.arpa
        IN PTR
        lhr25s13-in-f14�H
        78.204.58.216.in-addr.arpa
        IN PTR
        lhr48s49-in-f14�H
      • flag-us
        DNS
        110.201.58.216.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        110.201.58.216.in-addr.arpa
        IN PTR
        Response
        110.201.58.216.in-addr.arpa
        IN PTR
        lhr48s48-in-f141e100net
        110.201.58.216.in-addr.arpa
        IN PTR
        prg03s02-in-f110�I
        110.201.58.216.in-addr.arpa
        IN PTR
        prg03s02-in-f14�I
      • flag-us
        DNS
        157.123.68.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.123.68.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        29.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        29.243.111.52.in-addr.arpa
        IN PTR
        Response
      • 162.255.119.249:80
        http://www.directdownloader.com/DirectDownloaderInstaller.exe
        http
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        1.5kB
        2.4kB
        20
        8

        HTTP Request

        GET http://www.directdownloader.com/stub/stub_ddlr.exe

        HTTP Response

        302

        HTTP Request

        GET http://www.directdownloader.com/stub/OpenCL.dll

        HTTP Response

        302

        HTTP Request

        GET http://www.directdownloader.com/toolbars/BitAcceleratorDDLRinstaller.exe

        HTTP Response

        302

        HTTP Request

        GET http://www.directdownloader.com/toolbars/optimizer.exe

        HTTP Response

        302

        HTTP Request

        GET http://www.directdownloader.com/DirectDownloaderInstaller.exe

        HTTP Response

        302
      • 142.250.180.4:80
        http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe
        http
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        2.2kB
        3.9kB
        14
        8

        HTTP Request

        GET http://www.google.com/enterprise/apps/business/products.html/stub/stub_ddlr.exe

        HTTP Response

        301

        HTTP Request

        GET http://www.google.com/enterprise/apps/business/products.html/stub/OpenCL.dll

        HTTP Response

        301

        HTTP Request

        GET http://www.google.com/enterprise/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

        HTTP Response

        301

        HTTP Request

        GET http://www.google.com/enterprise/apps/business/products.html/toolbars/optimizer.exe

        HTTP Response

        301

        HTTP Request

        GET http://www.google.com/enterprise/apps/business/products.html/DirectDownloaderInstaller.exe

        HTTP Response

        301
      • 172.217.169.78:443
        https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe
        tls, http
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        3.0kB
        11.1kB
        22
        15

        HTTP Request

        GET https://enterprise.google.com/apps/business/products.html/stub/stub_ddlr.exe

        HTTP Response

        301

        HTTP Request

        GET https://enterprise.google.com/apps/business/products.html/stub/OpenCL.dll

        HTTP Response

        301

        HTTP Request

        GET https://enterprise.google.com/apps/business/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

        HTTP Response

        301

        HTTP Request

        GET https://enterprise.google.com/apps/business/products.html/toolbars/optimizer.exe

        HTTP Response

        301

        HTTP Request

        GET https://enterprise.google.com/apps/business/products.html/DirectDownloaderInstaller.exe

        HTTP Response

        301
      • 216.58.201.99:80
        http://c.pki.goog/r/r1.crl
        http
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        395 B
        1.8kB
        6
        5

        HTTP Request

        GET http://c.pki.goog/r/r1.crl

        HTTP Response

        200
      • 216.58.201.99:80
        http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94
        http
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        509 B
        885 B
        6
        4

        HTTP Request

        GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94

        HTTP Response

        200
      • 216.58.204.78:443
        https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe
        tls, http
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        2.9kB
        11.0kB
        22
        14

        HTTP Request

        GET https://gsuite.google.com/products.html/stub/stub_ddlr.exe

        HTTP Response

        301

        HTTP Request

        GET https://gsuite.google.com/products.html/stub/OpenCL.dll

        HTTP Response

        301

        HTTP Request

        GET https://gsuite.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

        HTTP Response

        301

        HTTP Request

        GET https://gsuite.google.com/products.html/toolbars/optimizer.exe

        HTTP Response

        301

        HTTP Request

        GET https://gsuite.google.com/products.html/DirectDownloaderInstaller.exe

        HTTP Response

        301
      • 216.58.201.110:443
        https://workspace.google.com/products.html/DirectDownloaderInstaller.exe
        tls, http
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        31.0kB
        851.0kB
        633
        630

        HTTP Request

        GET https://workspace.google.com/products.html/stub/stub_ddlr.exe

        HTTP Response

        404

        HTTP Request

        GET https://workspace.google.com/products.html/stub/OpenCL.dll

        HTTP Response

        404

        HTTP Request

        GET https://workspace.google.com/products.html/toolbars/BitAcceleratorDDLRinstaller.exe

        HTTP Response

        404

        HTTP Request

        GET https://workspace.google.com/products.html/toolbars/optimizer.exe

        HTTP Response

        404

        HTTP Request

        GET https://workspace.google.com/products.html/DirectDownloaderInstaller.exe

        HTTP Response

        404
      • 8.8.8.8:53
        73.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        73.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        www.directdownloader.com
        dns
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        70 B
        86 B
        1
        1

        DNS Request

        www.directdownloader.com

        DNS Response

        162.255.119.249

      • 8.8.8.8:53
        www.google.com
        dns
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        60 B
        76 B
        1
        1

        DNS Request

        www.google.com

        DNS Response

        142.250.180.4

      • 8.8.8.8:53
        enterprise.google.com
        dns
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        67 B
        104 B
        1
        1

        DNS Request

        enterprise.google.com

        DNS Response

        172.217.169.78

      • 8.8.8.8:53
        205.47.74.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        205.47.74.20.in-addr.arpa

      • 8.8.8.8:53
        249.119.255.162.in-addr.arpa
        dns
        74 B
        154 B
        1
        1

        DNS Request

        249.119.255.162.in-addr.arpa

      • 8.8.8.8:53
        4.180.250.142.in-addr.arpa
        dns
        72 B
        110 B
        1
        1

        DNS Request

        4.180.250.142.in-addr.arpa

      • 8.8.8.8:53
        c.pki.goog
        dns
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        56 B
        107 B
        1
        1

        DNS Request

        c.pki.goog

        DNS Response

        216.58.201.99

      • 8.8.8.8:53
        o.pki.goog
        dns
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        56 B
        107 B
        1
        1

        DNS Request

        o.pki.goog

        DNS Response

        216.58.201.99

      • 8.8.8.8:53
        gsuite.google.com
        dns
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        63 B
        79 B
        1
        1

        DNS Request

        gsuite.google.com

        DNS Response

        216.58.204.78

      • 8.8.8.8:53
        workspace.google.com
        dns
        49977ea91effefa69e91faaf406309c4_JaffaCakes118.exe
        66 B
        82 B
        1
        1

        DNS Request

        workspace.google.com

        DNS Response

        216.58.201.110

      • 8.8.8.8:53
        78.169.217.172.in-addr.arpa
        dns
        73 B
        112 B
        1
        1

        DNS Request

        78.169.217.172.in-addr.arpa

      • 8.8.8.8:53
        78.204.58.216.in-addr.arpa
        dns
        72 B
        171 B
        1
        1

        DNS Request

        78.204.58.216.in-addr.arpa

      • 8.8.8.8:53
        110.201.58.216.in-addr.arpa
        dns
        73 B
        173 B
        1
        1

        DNS Request

        110.201.58.216.in-addr.arpa

      • 8.8.8.8:53
        157.123.68.40.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        157.123.68.40.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        29.243.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        29.243.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe

        Filesize

        7B

        MD5

        824ab679eea19c5b43b186800c2c625f

        SHA1

        f8b90bc89117ac4f1a272e7acef952a79a64b617

        SHA256

        f6d4a23bd6b412e4d4906cbd1c56dcbcf5ddd96b6a9098ceba96be94e52f7ab3

        SHA512

        e13bb9c005c2acb412916bf0f4a37b39c2800298042d5344b877143d1b767342903c9bb3e8d4eda75f37cc323b5f623d6bf34629d2c999c7df316de4ffd3caf4

      • C:\Users\Admin\AppData\Local\Temp\stub_ddlr.exe

        Filesize

        155KB

        MD5

        e1098470152dc10fb29b3ad7b4e5f5cf

        SHA1

        ae5a796340be8f0912d6c85f81dce21211aaaf15

        SHA256

        3832d19f80a84069c5010266fa3cf11eee5bb1c3d1b2ba278e49519519561b8a

        SHA512

        0ba3a53a3021be99aaf5cf8af54f214feea0f80f112a7ffb209b4c2c0539f8b8b6cd087ba7ed6501c9b79e0a9496494e471ac43f9b7f0aacf58866c01e90e7c6

      • memory/4740-24-0x0000000000400000-0x00000000004C3000-memory.dmp

        Filesize

        780KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.