Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 15:46

General

  • Target

    fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe

  • Size

    578KB

  • MD5

    fab060854959752071dd189e5e8f02ed

  • SHA1

    08d9ec618c6c9e6d3544c9877edb63575981aba3

  • SHA256

    0609543d20e58f2d96e03d4a87a04dfb37f59b12f47b0f752327c1db06e37b0c

  • SHA512

    edd8f4baccb95e25f771e1e9d077aa1fa1290d4fd467b5e54944c37673f40b05e499253ef1a74d09991fd8678fd9b44143b6bab2e09ade7b29705029d4088c2b

  • SSDEEP

    6144:UKlr3FcfCElJk125U8SpVUagDsvb6mgmw4sFfTysVufBn597NX2I:UqVcfXlJkE5YVUjuOjysgfBnnl2I

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • RevengeRat Executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
      C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -806691 -dcu -38047d8c737f43bb833845079fbe9836 - -ChromeBundle -sjmhbdczthfccftw
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1e79758,0x7fef1e79768,0x7fef1e79778
          4⤵
            PID:3000
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:2
            4⤵
              PID:3008
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:8
              4⤵
                PID:2248
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:8
                4⤵
                  PID:1648
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:1
                  4⤵
                    PID:344
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:1
                    4⤵
                      PID:852
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3208 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:2
                      4⤵
                        PID:1368
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:1
                        4⤵
                          PID:1644
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1340,i,16886387001044932746,13139264454898083311,131072 /prefetch:8
                          4⤵
                            PID:296
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:1204

                      Network

                      • flag-us
                        DNS
                        www.download-sponsor.de
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        www.download-sponsor.de
                        IN A
                        Response
                        www.download-sponsor.de
                        IN A
                        176.9.175.237
                      • flag-de
                        GET
                        http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-US
                        ocs_v6z.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET /initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-US HTTP/1.1
                        Host: www.download-sponsor.de
                        Connection: Keep-Alive
                        Response
                        HTTP/1.1 200 OK
                        Date: Fri, 27 Sep 2024 15:47:02 GMT
                        Server: Apache
                        Vary: Accept-Encoding
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=1500
                        Connection: Keep-Alive
                        Content-Type: text/html
                      • flag-us
                        DNS
                        bin.download-sponsor.de
                        ocs_v6z.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        bin.download-sponsor.de
                        IN A
                        Response
                        bin.download-sponsor.de
                        IN A
                        176.9.175.234
                      • flag-de
                        DNS
                        ocs_v6z.exe
                        Remote address:
                        176.9.175.234:80
                        Response
                        HTTP/1.1 400 Bad Request
                        Server: nginx
                        Date: Fri, 27 Sep 2024 15:47:03 GMT
                        Content-Type: text/html
                        Content-Length: 150
                        Connection: close
                      • flag-de
                        GET
                        http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        chrome.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET /exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865 HTTP/1.1
                        Host: www.download-sponsor.de
                        Connection: keep-alive
                        Upgrade-Insecure-Requests: 1
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en;q=0.9
                        Response
                        HTTP/1.1 302 Found
                        Date: Fri, 27 Sep 2024 15:47:09 GMT
                        Server: Apache
                        location: http://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Content-Length: 20
                        Keep-Alive: timeout=5, max=1500
                        Connection: Keep-Alive
                        Content-Type: text/html
                      • flag-us
                        DNS
                        dcu.download-sponsor.de
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        dcu.download-sponsor.de
                        IN A
                        Response
                        dcu.download-sponsor.de
                        IN A
                        176.9.175.237
                      • flag-de
                        GET
                        http://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        chrome.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET /feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865 HTTP/1.1
                        Host: dcu.download-sponsor.de
                        Connection: keep-alive
                        Upgrade-Insecure-Requests: 1
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en;q=0.9
                        Response
                        HTTP/1.1 302 Found
                        Date: Fri, 27 Sep 2024 15:47:09 GMT
                        Server: Apache
                        location: http://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Content-Length: 20
                        Keep-Alive: timeout=5, max=1500
                        Connection: Keep-Alive
                        Content-Type: text/html
                      • flag-us
                        DNS
                        survey.download-sponsor.de
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        survey.download-sponsor.de
                        IN A
                        Response
                        survey.download-sponsor.de
                        IN A
                        176.9.175.237
                      • flag-de
                        GET
                        http://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        chrome.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET /feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865 HTTP/1.1
                        Host: survey.download-sponsor.de
                        Connection: keep-alive
                        Upgrade-Insecure-Requests: 1
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en;q=0.9
                        Response
                        HTTP/1.1 200 OK
                        Date: Fri, 27 Sep 2024 15:47:09 GMT
                        Server: Apache
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Content-Length: 2136
                        Keep-Alive: timeout=5, max=1500
                        Connection: Keep-Alive
                        Content-Type: text/html
                      • flag-de
                        GET
                        http://survey.download-sponsor.de/feedback/img/metalbg.jpg
                        chrome.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET /feedback/img/metalbg.jpg HTTP/1.1
                        Host: survey.download-sponsor.de
                        Connection: keep-alive
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                        Referer: http://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en;q=0.9
                        Response
                        HTTP/1.1 200 OK
                        Date: Fri, 27 Sep 2024 15:47:09 GMT
                        Server: Apache
                        Last-Modified: Tue, 12 Jun 2012 18:35:35 GMT
                        ETag: "96640c-3f262-4c24abb71abc0"
                        Accept-Ranges: bytes
                        Content-Length: 258658
                        Keep-Alive: timeout=5, max=1499
                        Connection: Keep-Alive
                        Content-Type: image/jpeg
                      • flag-us
                        DNS
                        d.addelive.com
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        d.addelive.com
                        IN A
                        Response
                        d.addelive.com
                        IN A
                        66.216.109.248
                      • flag-us
                        DNS
                        download-sponsor.de
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        download-sponsor.de
                        IN A
                        Response
                        download-sponsor.de
                        IN A
                        176.9.175.237
                      • flag-us
                        DNS
                        files.download-sponsor.de
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        files.download-sponsor.de
                        IN A
                        Response
                        files.download-sponsor.de
                        IN A
                        176.9.175.237
                      • flag-us
                        DNS
                        content-autofill.googleapis.com
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        content-autofill.googleapis.com
                        IN A
                        Response
                        content-autofill.googleapis.com
                        IN A
                        142.250.187.234
                        content-autofill.googleapis.com
                        IN A
                        216.58.204.74
                        content-autofill.googleapis.com
                        IN A
                        142.250.200.10
                        content-autofill.googleapis.com
                        IN A
                        172.217.169.42
                        content-autofill.googleapis.com
                        IN A
                        142.250.200.42
                        content-autofill.googleapis.com
                        IN A
                        216.58.213.10
                        content-autofill.googleapis.com
                        IN A
                        172.217.169.74
                        content-autofill.googleapis.com
                        IN A
                        142.250.179.234
                        content-autofill.googleapis.com
                        IN A
                        216.58.212.202
                        content-autofill.googleapis.com
                        IN A
                        172.217.16.234
                        content-autofill.googleapis.com
                        IN A
                        142.250.180.10
                        content-autofill.googleapis.com
                        IN A
                        216.58.201.106
                        content-autofill.googleapis.com
                        IN A
                        142.250.187.202
                        content-autofill.googleapis.com
                        IN A
                        142.250.178.10
                      • flag-us
                        DNS
                        impressum.thinklabs-ltd.de
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        impressum.thinklabs-ltd.de
                        IN A
                        Response
                        impressum.thinklabs-ltd.de
                        IN A
                        176.9.175.237
                      • flag-us
                        DNS
                        www.download-sponsor.de
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        www.download-sponsor.de
                        IN A
                        Response
                        www.download-sponsor.de
                        IN A
                        176.9.175.237
                      • flag-de
                        GET
                        http://download-sponsor.de//partnerbranding/brandmachine/brandmachine.php?pid=dcu&sl=3
                        chrome.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET //partnerbranding/brandmachine/brandmachine.php?pid=dcu&sl=3 HTTP/1.1
                        Host: download-sponsor.de
                        Connection: keep-alive
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                        Referer: http://survey.download-sponsor.de/
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en;q=0.9
                        Response
                        HTTP/1.1 302 Found
                        Date: Fri, 27 Sep 2024 15:47:10 GMT
                        Server: Apache
                        location: resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.png
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Content-Length: 20
                        Keep-Alive: timeout=5, max=1500
                        Connection: Keep-Alive
                        Content-Type: text/html
                      • flag-de
                        GET
                        http://download-sponsor.de//partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.png
                        chrome.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET //partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.png HTTP/1.1
                        Host: download-sponsor.de
                        Connection: keep-alive
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                        Referer: http://survey.download-sponsor.de/
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en;q=0.9
                        Response
                        HTTP/1.1 200 OK
                        Date: Fri, 27 Sep 2024 15:47:10 GMT
                        Server: Apache
                        ETag: "9700d3-1eca-4d1fec53006c0"
                        Accept-Ranges: bytes
                        Content-Length: 7882
                        Last-Modified: Sat, 29 Dec 2012 14:41:07 GMT
                        Keep-Alive: timeout=5, max=1499
                        Connection: Keep-Alive
                        Content-Type: image/png
                      • flag-gb
                        GET
                        https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=proto
                        chrome.exe
                        Remote address:
                        142.250.187.234:443
                        Request
                        GET /v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=proto HTTP/2.0
                        host: content-autofill.googleapis.com
                        x-goog-encode-response-if-executable: base64
                        x-goog-api-key: AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                        x-client-data: COSIywE=
                        sec-fetch-site: none
                        sec-fetch-mode: no-cors
                        sec-fetch-dest: empty
                        user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        accept-encoding: gzip, deflate, br
                        accept-language: en-US,en;q=0.9
                      • flag-de
                        GET
                        http://files.download-sponsor.de/guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691
                        chrome.exe
                        Remote address:
                        176.9.175.237:80
                        Request
                        GET /guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691 HTTP/1.1
                        Host: files.download-sponsor.de
                        Connection: keep-alive
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                        Referer: http://survey.download-sponsor.de/
                        Accept-Encoding: gzip, deflate
                        Accept-Language: en-US,en;q=0.9
                        Response
                        HTTP/1.1 200 OK
                        Date: Fri, 27 Sep 2024 15:47:10 GMT
                        Server: Apache
                        Content-Length: 4435
                        Keep-Alive: timeout=5, max=1500
                        Connection: Keep-Alive
                        Content-Type: image/png
                      • flag-us
                        DNS
                        download.chip.eu
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        download.chip.eu
                        IN A
                        Response
                      • 176.9.175.237:80
                        http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-US
                        http
                        ocs_v6z.exe
                        503 B
                        368 B
                        6
                        4

                        HTTP Request

                        GET http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=806691&pid=dcu&source=ChromeBundle&setupid=38047d8c737f43bb833845079fbe9836&lang=en-US

                        HTTP Response

                        200
                      • 176.9.175.234:80
                        bin.download-sponsor.de
                        http
                        ocs_v6z.exe
                        435 B
                        507 B
                        5
                        5

                        HTTP Response

                        400
                      • 176.9.175.237:80
                        www.download-sponsor.de
                        chrome.exe
                        242 B
                        184 B
                        5
                        4
                      • 176.9.175.237:80
                        http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        http
                        chrome.exe
                        997 B
                        767 B
                        6
                        5

                        HTTP Request

                        GET http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865

                        HTTP Response

                        302
                      • 176.9.175.237:80
                        http://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
                        http
                        chrome.exe
                        981 B
                        770 B
                        6
                        5

                        HTTP Request

                        GET http://dcu.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865

                        HTTP Response

                        302
                      • 176.9.175.237:80
                        http://survey.download-sponsor.de/feedback/img/metalbg.jpg
                        http
                        chrome.exe
                        6.3kB
                        269.2kB
                        107
                        198

                        HTTP Request

                        GET http://survey.download-sponsor.de/feedback/?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=eb323222-ac73-4f8b-998e-7baa2e1f6fa7&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865

                        HTTP Response

                        200

                        HTTP Request

                        GET http://survey.download-sponsor.de/feedback/img/metalbg.jpg

                        HTTP Response

                        200
                      • 66.216.109.248:80
                        d.addelive.com
                        chrome.exe
                        152 B
                        3
                      • 176.9.175.237:80
                        http://download-sponsor.de//partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.png
                        http
                        chrome.exe
                        1.4kB
                        9.0kB
                        11
                        13

                        HTTP Request

                        GET http://download-sponsor.de//partnerbranding/brandmachine/brandmachine.php?pid=dcu&sl=3

                        HTTP Response

                        302

                        HTTP Request

                        GET http://download-sponsor.de//partnerbranding/brandmachine/resources/images/ownupload/dcu-50bfd27d3f84907c3c34892a76ebf9ba.png

                        HTTP Response

                        200
                      • 142.250.187.234:443
                        https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=proto
                        tls, http2
                        chrome.exe
                        1.8kB
                        6.8kB
                        15
                        17

                        HTTP Request

                        GET https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSFwlEXNaJFrQNjBIFDeLcrB8SBQ1Xtmoh?alt=proto
                      • 176.9.175.237:80
                        http://files.download-sponsor.de/guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691
                        http
                        chrome.exe
                        777 B
                        4.9kB
                        7
                        8

                        HTTP Request

                        GET http://files.download-sponsor.de/guided-download/templates/publisher/icon-delivery.php?pid=dcu&cid=806691

                        HTTP Response

                        200
                      • 66.216.109.248:80
                        d.addelive.com
                        chrome.exe
                        152 B
                        3
                      • 8.8.8.8:53
                        www.download-sponsor.de
                        dns
                        chrome.exe
                        69 B
                        85 B
                        1
                        1

                        DNS Request

                        www.download-sponsor.de

                        DNS Response

                        176.9.175.237

                      • 8.8.8.8:53
                        bin.download-sponsor.de
                        dns
                        ocs_v6z.exe
                        69 B
                        85 B
                        1
                        1

                        DNS Request

                        bin.download-sponsor.de

                        DNS Response

                        176.9.175.234

                      • 8.8.8.8:53
                        dcu.download-sponsor.de
                        dns
                        chrome.exe
                        69 B
                        85 B
                        1
                        1

                        DNS Request

                        dcu.download-sponsor.de

                        DNS Response

                        176.9.175.237

                      • 8.8.8.8:53
                        survey.download-sponsor.de
                        dns
                        chrome.exe
                        72 B
                        88 B
                        1
                        1

                        DNS Request

                        survey.download-sponsor.de

                        DNS Response

                        176.9.175.237

                      • 8.8.8.8:53
                        d.addelive.com
                        dns
                        chrome.exe
                        60 B
                        76 B
                        1
                        1

                        DNS Request

                        d.addelive.com

                        DNS Response

                        66.216.109.248

                      • 8.8.8.8:53
                        download-sponsor.de
                        dns
                        chrome.exe
                        65 B
                        81 B
                        1
                        1

                        DNS Request

                        download-sponsor.de

                        DNS Response

                        176.9.175.237

                      • 8.8.8.8:53
                        files.download-sponsor.de
                        dns
                        chrome.exe
                        71 B
                        87 B
                        1
                        1

                        DNS Request

                        files.download-sponsor.de

                        DNS Response

                        176.9.175.237

                      • 8.8.8.8:53
                        content-autofill.googleapis.com
                        dns
                        chrome.exe
                        77 B
                        301 B
                        1
                        1

                        DNS Request

                        content-autofill.googleapis.com

                        DNS Response

                        142.250.187.234
                        216.58.204.74
                        142.250.200.10
                        172.217.169.42
                        142.250.200.42
                        216.58.213.10
                        172.217.169.74
                        142.250.179.234
                        216.58.212.202
                        172.217.16.234
                        142.250.180.10
                        216.58.201.106
                        142.250.187.202
                        142.250.178.10

                      • 8.8.8.8:53
                        impressum.thinklabs-ltd.de
                        dns
                        chrome.exe
                        72 B
                        88 B
                        1
                        1

                        DNS Request

                        impressum.thinklabs-ltd.de

                        DNS Response

                        176.9.175.237

                      • 8.8.8.8:53
                        www.download-sponsor.de
                        dns
                        chrome.exe
                        69 B
                        85 B
                        1
                        1

                        DNS Request

                        www.download-sponsor.de

                        DNS Response

                        176.9.175.237

                      • 8.8.8.8:53
                        download.chip.eu
                        dns
                        chrome.exe
                        62 B
                        133 B
                        1
                        1

                        DNS Request

                        download.chip.eu

                      • 224.0.0.251:5353
                        chrome.exe
                        204 B
                        3

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

                        Filesize

                        16B

                        MD5

                        aefd77f47fb84fae5ea194496b44c67a

                        SHA1

                        dcfbb6a5b8d05662c4858664f81693bb7f803b82

                        SHA256

                        4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                        SHA512

                        b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                        Filesize

                        264KB

                        MD5

                        f50f89a0a91564d0b8a211f8921aa7de

                        SHA1

                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                        SHA256

                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                        SHA512

                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        5KB

                        MD5

                        c1702ff6433f55ba9d6ac8e5d8cb8c69

                        SHA1

                        2a5bc67d785c989ba1683f0b7867e8848508b39b

                        SHA256

                        dc22b82bb1af7d90e29ab413f52c7f00f23b6d4150bb98648fbe2a042e4b987b

                        SHA512

                        167c9274b096d92245ca97c6e2d1e7badccd25861ba535ab547df9d2b791e14cf5f5d89266b066e8d80219c1e1aae536acc0648ebf5030d91d7cc335cca00699

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        5KB

                        MD5

                        e327bebb291e1b40529fc4d60dec38b2

                        SHA1

                        4d78e6a27bc76a3b1e2a980f88032f3753594930

                        SHA256

                        9323a38bb9e130e26c267b696bf688d42dd3eca2f9d504fa61d37fe99af667a9

                        SHA512

                        17a8713413628c12c88d8069796ab4b5effea08585e2bfed9ff7c4fa0a2c4cac16bfd73ed9e6035e41347b07757688de987a5ce45fbb7fd1da76e18bdc6d2c06

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

                        Filesize

                        16B

                        MD5

                        18e723571b00fb1694a3bad6c78e4054

                        SHA1

                        afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                        SHA256

                        8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                        SHA512

                        43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                      • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

                        Filesize

                        312KB

                        MD5

                        09f02c017e40a998537f26d0caee8d22

                        SHA1

                        7676d2f17068a9050bbbbe10908e75bc5d59b631

                        SHA256

                        fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7

                        SHA512

                        0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7

                      • C:\Users\Admin\AppData\Local\Temp\OCS\sjmhbdczthfccftw.dat

                        Filesize

                        89B

                        MD5

                        9ede8209fd0d5d08a54b06331d0dd050

                        SHA1

                        0467285ff5da75f5004b696945a9b3aff23dc20c

                        SHA256

                        83a9bb057e5fac5a27dfe83aaff2698141ec49717ad093d07af5c4e080a26aa7

                        SHA512

                        3491f3680e70637ee6f7991a526552b065b66043881178bcda32a17929aa2e35352f44ac930b678de14aa2964ce0ff5b75767d13c5038aa7d3c61c3d35758c13

                      • memory/2124-22-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-27-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-20-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-21-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-23-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-24-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

                        Filesize

                        4KB

                      • memory/2124-25-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-19-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-18-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-17-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-16-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-15-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-14-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

                        Filesize

                        9.6MB

                      • memory/2124-12-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

                        Filesize

                        4KB

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.