fce1651db192b64396df3d24b717bb657570653314f1de50c5c7c0257dee3932

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 15:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30a069402942344e05088e9fbcb70937_JaffaCakes118.html
Size

139KB
MD5

30a069402942344e05088e9fbcb70937
SHA1

e5b632795b51dbc0c765f51a26526b81b4af8311
SHA256

fce1651db192b64396df3d24b717bb657570653314f1de50c5c7c0257dee3932
SHA512

91f0ad7e1712f63637266452cb3690c0e97f01a3bf14ddd91097eff8f5bd02de4d2102ad4b0e2e20f3ebc63cee82d8e28c4adb9ffc390123743f8a00e06691b1
SSDEEP

1536:S0cvonIQv2NzP5CqlZNyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXu:S0c/NyfkMY+BES09JXAnyrZalI+YQ

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0051eb22a1bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000ad707ca53de640284d82bc2f697fbffd28d69fbdf807e72256812df898fd48d0000000000e8000000002000020000000cb8450601d97b421190f4cc634db9aaae73ae716de9c654eeeae63a934677fc6200000000b05c0588a3967911a394c84ab424944cd51ba9a0bf22491fb793f718c46d65540000000c6f92a5135799c93a69074888129e6e9fa5646478f09c000cfa5031011f57c0af9efd57046890a7b04ed5e1848c700ecb398d717d83007dda5962768726f44c3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434736541"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000088d3e6eccebce9817f7d11d0ca72a81358db70e849a87d3e8c2caae25845354c000000000e8000000002000020000000a909dc6ea0eb33279b12c4336b04be47baee990322400bde92470419c8e86eb1900000000010b10fda868673b76d54b8dbf4c0e405f1696ad5f18be6daba840f3fa6336f02788024e3309970c40762b522f487c67e4391d7cfaaa893b1f7a6c9bb13362f3a24b6116069c9b1168d9872ddfa172f19eeb7828f5cc2dd076ba3efb336aef2d8175e884728dd95f73ac9b64568f03fe2cbba12c73e9902417dcfc5a6887c832fab697303ae2d09af8998da85fd622540000000cc02d16d078190eeef7235850f090e1ee53cf75680a15af472894f812f0f7d7fc74149fa69040745df28fb1fd5ea184e871130f3bb3fb1ea90745f7e3a64d63c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D3EE1C1-871D-11EF-8D2A-5E7C7FDA70D7} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2464	iexplore.exe
2464	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2888	2464	iexplore.exe	31
PID 2464 wrote to memory of 2888	2464	iexplore.exe	31
PID 2464 wrote to memory of 2888	2464	iexplore.exe	31
PID 2464 wrote to memory of 2888	2464	iexplore.exe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\30a069402942344e05088e9fbcb70937_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2888

Network

DNS

ohab3.ain9.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

ohab3.ain9.com

IN A

Response

ohab3.ain9.com

IN CNAME

traff-3.hugedomains.com

traff-3.hugedomains.com

IN CNAME

hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com

hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com

IN A

3.18.7.81

hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com

IN A

3.19.116.195
GET

http://ohab3.ain9.com/ads.js

IEXPLORE.EXE

Remote address:

3.18.7.81:80

Request

GET /ads.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ohab3.ain9.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Thu, 10 Oct 2024 15:37:55 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=ain9.com
GET

http://ohab3.ain9.com/css/nr.css

IEXPLORE.EXE

Remote address:

3.18.7.81:80

Request

GET /css/nr.css HTTP/1.1
Accept: text/css, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ohab3.ain9.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Thu, 10 Oct 2024 15:37:54 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=ain9.com
GET

http://ohab3.ain9.com/js/jquery.min.js

IEXPLORE.EXE

Remote address:

3.18.7.81:80

Request

GET /js/jquery.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ohab3.ain9.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

content-length: 0
date: Thu, 10 Oct 2024 15:37:55 GMT
location: https://www.hugedomains.com/domain_profile.cfm?d=ain9.com
DNS

www.hugedomains.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

www.hugedomains.com

IN A

Response

www.hugedomains.com

IN A

104.26.7.37

www.hugedomains.com

IN A

104.26.6.37

www.hugedomains.com

IN A

172.67.70.191
GET

https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

IEXPLORE.EXE

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=ain9.com HTTP/1.1
Accept: text/css, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.hugedomains.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 15:37:56 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Sun, 05-Oct-2025 15:37:56 GMT; path=/
set-cookie: site_version=HDv3; expires=Sun, 05-Oct-2025 15:37:56 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S4LyyTDMvmw0omYwnhAD3TL4Gqn4MJNM6I8pd5j0Fg8et8d%2BgTEDXsb8OafXvhejlsy4OcjiyjTn5C%2FfNavUMEl8Z2HG3Ei%2FMHh%2FNUgt%2BRSLQjUVG8up9p%2FxDMNRTN0nmUQztdg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d07b1cdfa3f9406-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

IEXPLORE.EXE

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=ain9.com HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.hugedomains.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 15:37:56 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Sun, 05-Oct-2025 15:37:56 GMT; path=/
set-cookie: site_version=HDv3; expires=Sun, 05-Oct-2025 15:37:56 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5hwNgJLEnVZD1ApOkYRs8ZxKfYCxL3TzJnpAvNt%2FzhQ8o4S7SxCFi8EEzK9ji4niOvgeyjr39MrCBf7ChMPKSyRkYVPpHbnxtJ%2FDYm1xMbvFFi3n7M%2BLzLOkQQGIzBqyQ8pzppo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d07b1cf2c029406-LHR
Content-Encoding: gzip
GET

https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

IEXPLORE.EXE

Remote address:

104.26.7.37:443

Request

GET /domain_profile.cfm?d=ain9.com HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.hugedomains.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 15:37:56 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: private
vary: Accept-Encoding
set-cookie: site_version_phase=108; expires=Sun, 05-Oct-2025 15:37:56 GMT; path=/
set-cookie: site_version=HDv3; expires=Sun, 05-Oct-2025 15:37:56 GMT; path=/
x-powered-by: ASP.NET
lb: TclPrdLbHd3
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CkchjcOe839%2Fk6fmax4PKjnDQgVV6lSddiEmCRi%2BNN5tlX%2BB%2FyF195fzOe%2Bf8h6muil%2FXkJ6JAMOSnlL8KxukdKGEQG%2B24ov16X%2BkTTYqYnq4ywriBSYsl4vXG3MLxavtp%2BzjRE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d07b1ce2d7894de-LHR
Content-Encoding: gzip
DNS

c.pki.goog

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.195
DNS

c.pki.goog

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.195
DNS

c.pki.goog

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.195
GET

http://c.pki.goog/r/gsr1.crl

IEXPLORE.EXE

Remote address:

142.250.187.195:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 10 Oct 2024 15:32:43 GMT
Expires: Thu, 10 Oct 2024 16:22:43 GMT
Cache-Control: public, max-age=3000
Age: 316
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/gsr1.crl

IEXPLORE.EXE

Remote address:

142.250.187.195:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 10 Oct 2024 15:32:43 GMT
Expires: Thu, 10 Oct 2024 16:22:43 GMT
Cache-Control: public, max-age=3000
Age: 313
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

IEXPLORE.EXE

Remote address:

142.250.187.195:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 10 Oct 2024 15:06:21 GMT
Expires: Thu, 10 Oct 2024 15:56:21 GMT
Cache-Control: public, max-age=3000
Age: 1895
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/gsr1.crl

IEXPLORE.EXE

Remote address:

142.250.187.195:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 10 Oct 2024 15:32:43 GMT
Expires: Thu, 10 Oct 2024 16:22:43 GMT
Cache-Control: public, max-age=3000
Age: 313
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

IEXPLORE.EXE

Remote address:

142.250.187.195:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 10 Oct 2024 15:06:21 GMT
Expires: Thu, 10 Oct 2024 15:56:21 GMT
Cache-Control: public, max-age=3000
Age: 1895
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

bdimg.share.baidu.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

bdimg.share.baidu.com

IN A

Response

bdimg.share.baidu.com

IN CNAME

share.jomodns.com

share.jomodns.com

IN CNAME

share.n.shifen.com

share.n.shifen.com

IN A

182.61.244.229

share.n.shifen.com

IN A

14.215.182.161

share.n.shifen.com

IN A

182.61.201.94

share.n.shifen.com

IN A

163.177.17.97

share.n.shifen.com

IN A

182.61.201.93

share.n.shifen.com

IN A

39.156.68.163

share.n.shifen.com

IN A

112.34.113.148

share.n.shifen.com

IN A

180.101.212.103
DNS

bdimg.share.baidu.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

bdimg.share.baidu.com

IN A

Response

bdimg.share.baidu.com

IN CNAME

share.jomodns.com

share.jomodns.com

IN CNAME

share.n.shifen.com

share.n.shifen.com

IN A

163.177.17.97

share.n.shifen.com

IN A

39.156.68.163

share.n.shifen.com

IN A

182.61.244.229

share.n.shifen.com

IN A

182.61.201.93

share.n.shifen.com

IN A

180.101.212.103

share.n.shifen.com

IN A

14.215.182.161

share.n.shifen.com

IN A

182.61.201.94

share.n.shifen.com

IN A

112.34.113.148

3.18.7.81:80

http://ohab3.ain9.com/ads.js

http

IEXPLORE.EXE

803 B
279 B
12
3

HTTP Request

GET http://ohab3.ain9.com/ads.js

HTTP Response

302
3.18.7.81:80

http://ohab3.ain9.com/css/nr.css

http

IEXPLORE.EXE

787 B
279 B
12
3

HTTP Request

GET http://ohab3.ain9.com/css/nr.css

HTTP Response

302
3.18.7.81:80

http://ohab3.ain9.com/js/jquery.min.js

http

IEXPLORE.EXE

813 B
279 B
12
3

HTTP Request

GET http://ohab3.ain9.com/js/jquery.min.js

HTTP Response

302
104.26.7.37:443

www.hugedomains.com

tls

IEXPLORE.EXE

756 B
3.6kB
10
9
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

tls, http

IEXPLORE.EXE

1.9kB
25.0kB
23
32

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

HTTP Response

200

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

HTTP Response

200
104.26.7.37:443

https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

tls, http

IEXPLORE.EXE

1.3kB
14.2kB
15
20

HTTP Request

GET https://www.hugedomains.com/domain_profile.cfm?d=ain9.com

HTTP Response

200
142.250.187.195:80

http://c.pki.goog/r/gsr1.crl

http

IEXPLORE.EXE

402 B
2.6kB
6
4

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200
142.250.187.195:80

http://c.pki.goog/r/r4.crl

http

IEXPLORE.EXE

606 B
5.0kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
142.250.187.195:80

http://c.pki.goog/r/r4.crl

http

IEXPLORE.EXE

606 B
5.0kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
182.61.244.229:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.244.229:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
14.215.182.161:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
14.215.182.161:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.201.94:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.201.94:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

747 B
7.8kB
9
12
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

747 B
7.8kB
9
12
163.177.17.97:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
163.177.17.97:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

831 B
7.9kB
10
13
182.61.201.93:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.201.93:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3

8.8.8.8:53

ohab3.ain9.com

dns

IEXPLORE.EXE

60 B
190 B
1
1

DNS Request

ohab3.ain9.com

DNS Response

3.18.7.81

3.19.116.195
8.8.8.8:53

www.hugedomains.com

dns

IEXPLORE.EXE

65 B
113 B
1
1

DNS Request

www.hugedomains.com

DNS Response

104.26.7.37

104.26.6.37

172.67.70.191
8.8.8.8:53

c.pki.goog

dns

IEXPLORE.EXE

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.195
8.8.8.8:53

c.pki.goog

dns

IEXPLORE.EXE

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.195
8.8.8.8:53

c.pki.goog

dns

IEXPLORE.EXE

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.195
8.8.8.8:53

bdimg.share.baidu.com

dns

IEXPLORE.EXE

134 B
504 B
2
2

DNS Request

bdimg.share.baidu.com

DNS Request

bdimg.share.baidu.com

DNS Response

182.61.244.229

14.215.182.161

182.61.201.94

163.177.17.97

182.61.201.93

39.156.68.163

112.34.113.148

180.101.212.103

DNS Response

163.177.17.97

39.156.68.163

182.61.244.229

182.61.201.93

180.101.212.103

14.215.182.161

182.61.201.94

112.34.113.148

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba900417125506cc40dda950165d4a03

SHA1
7df5b5ccde8e2971b1a248da325d5dbcc8e7675a

SHA256
5624176a1ca4acd4957196774f1d6f7950b34e585c10ed76387383245eea2b86

SHA512
64d199e163ad6813e7e7466cfd494365dc6058c0b0064d22075a22be341550bcd7717bbf93f9881ae08165cff0f5c99c92f2c1a9f3bb85c7fa8682497a27ef3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
485946ae2951b34dbb1c1ece720952af

SHA1
f89b48ece88155bdb3855b87a86afd8a95daf440

SHA256
87dd178de1a812dd5c94ec735842aa0921e821e80d78223a51b8131fcd5c2ed8

SHA512
1c647bb5dd8aa1b08345eaa7ba8f7f870087cd0963cc058f7e3a7127f90488d1af01165285404644e53875439c33386dcce1794b2341adc3822a07ac4c94abf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c4cc501de1d950bd9e5ece79456a70b

SHA1
716bbcfaa0fc6b714247dafb212dd3bfafbe9dcd

SHA256
6bd9ac47fcff106ad1518553e2e4f81bea8eb832363620de565cf5522da21aa9

SHA512
f2cf025d7da1e86a6a8625c29080a52cf34f920a20f4886ecbfaaa170cd77b3a759b62d233050adc9f1006ca409efc5c0059228dadf8a9400424778444a09c39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca9560a79cf75a15ff1e6358928622b2

SHA1
38a1ccc7d568a5019193ca28423e182ebc16f379

SHA256
942db8c85546f2daaf951bb660e45bfedef4ffa8d874addd6c64677169f3a523

SHA512
9b75d3df67a706aebedcfa4e901f019f921ad56244fb079172e36bbfb1d1f89430da1cac0a2b0a8ccddc01cad78224594de07af3cc24f4fe08bd17247b370723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
304007a7160ebdddbec587eb2807b6e9

SHA1
068591d686c82fadcc2cd88ceaa6fd81b39a0035

SHA256
32a2e9eb114b90358acfb341e52ade919ba116b53f8656eaa03a9aa2006838ca

SHA512
a4c16152ec8b370e9166f1341168f584999d35170c6ca0a3c6ad0eb19878a49153dbda53d187e9cca291ddd62d691e4ea399ed979e43a09460e95df9e8346784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60d135e2444130050ef81640f7f29b46

SHA1
e88ce98700d33b80a3a71973d2f5ddf5e46df1b0

SHA256
b8d4a85f47cfd5fef876896915f6fda438509af86ec3b5de9ebed9b9997211f9

SHA512
c9fda98dab505eab99ab06385875e2ad16d39ada4b7b5f0af8ab244e4c00fe55778f0ecfdc32ada03b9364148028474f73b9feb59189d9f521c4998e6eddc63f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
738ca38b60b1d6740f21c62e81b36d6d

SHA1
10f4bb794f395f0aba99594a8b01e08bebea49dd

SHA256
b6e97050853126e666a4fefeb354d14f5165574aedc0e16753ea73bc9b573b44

SHA512
ae21bacc059851a5125db8457ea5bda68fb6f7d845d3a6e6f190122385677083f7cbb88663839472881f4b98c76e548c07e67b197f9bca4c453e9c15d5525f07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36725aac39f964335c20cd09031e20a2

SHA1
1f162ff3a97d48cda177eab8cbb8c17b40ebae33

SHA256
c1b3f8241cb349a81431a9886c141a827195a9da84fe9a3f300f927a22ae372b

SHA512
289e4542744fc3f2a7e8d73c427574bf308722f8c9a43677a4bcf6b837ee4851b53a9aae9c50c52453bc679aaaade8e83145d6e6e44a43364d463ce15ceeeb8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f1ce24ca7dfa58b540e3a93e08a9590

SHA1
2a75b34dedce3fe4bb46f9f1b87e11824790f9ab

SHA256
eaaa6a6caf128e15891a39910f9e4ed8843519e0a46f56639af0c9b95fd2bef9

SHA512
e70ad6e0b2f3ba1990264ee6841c04f72d892250613f1181669d68a4bde9a18bcb4200c75beddeeb72903c6271fab7cb645c177839a8f4c2916f2eb232e17c08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
943c330788f570b3b8e1397d286c1959

SHA1
c21f877b044840794d4770717b4b4aca13ed04b5

SHA256
932ccbc3da22d16d0afe4784d749907934733bf57b033c781a80f87f8310c0a8

SHA512
e51cd6fa877c84c79daa20e0f334e0be50315c55a2dfc7dcb70451c71dd8579bd3ce1d6be29ec33493b83b9c0d3f15141ed0b1b45943a7e4241a502bfdc5d03f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f24b74f612238d1c6f30b07d6d736aa0

SHA1
00f855c300cf919691a0ce940a28914e65f42235

SHA256
fedf1cbbd0cf607aac8f2aeae581a7a816d7d156dc4cacc2ac6307618f362d7e

SHA512
8982b04a396ca2c6d325c0a7970d0fbdeacdc52c439e7d96b24d73d99bd52df671936bf0025e9535d2f3bde4958395c774309a1b990e5668c2ae330a60fd8644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64a22a693b8f5b701a687d57dc81819f

SHA1
f61a1923b876c748c3d845ef9dd0b4bfe91c3cfe

SHA256
f9967efed8ea79ca15bbf566e56b558056ffa5fb717752d37261055b516b9f3e

SHA512
461d02a91a48f589a397652950dd3918596ed57fa5f60b9f4421ad69f254c6ab8bb69a0c4de5a160e6247d9e576c0c0c55a79d62ca94d3afe0f4fe932a09f1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c205046ba7dd10d5495429ab29b67be

SHA1
2da0d9b59a2013fd97db90690c003d3184eea9b2

SHA256
05248465ed5838bbfb33cc78e85916068e9a6e430211de530ab0f01b6509055f

SHA512
a5577d515da095474afdeafaae3a829f7cdfa623970de5b1161a1a98ef3aba39ef047cdab14caddcbab69b0f592debaf1bb8e7d8fa665ffea9d2552614afc604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d25bf7219a86f773a0703fbfd06149f

SHA1
66c1724dd2f31ef35709f37690f22fe381a8b3bd

SHA256
f88e7348d6a6439e3a14f726163376c0da01e90e0d8d9bb27177477a44c774be

SHA512
90bce9cc645d7c8d5646c8ee91b5369614c028f9971190f102ec0aaabe4d562962e6c68d41498078433ea87f2c5de19930b5c4dad9edc4c56e001b7a46afc473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89c809b8791d9b4bb62b47064e10adf4

SHA1
cc6936e69a2842d779bf190cd2b4b6025cf209a6

SHA256
c371cfb8dd8550c99628bf5baa25c33cda21fa93e55bb922970d22318fabbf86

SHA512
d0e60cd8040b50a389402e8820bab978d7f2dc02d9a6707e69883e920f54aabd4ebda14537c80f76573c5d374981be9015741232a04d710f3779d9bf7f9b2c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47c7d566e8342a7de7e39026064e7bc5

SHA1
177b0670f2f25f1f2007cfcffc10579be1ee7aec

SHA256
934aac9eb1ae126dc7d0f61be1f4c1375663307fd6e022cbb8ca47b736c23e88

SHA512
0f1cb5b811886dfede4e6f1a7cb47e94ac28612bce7a0b68fe376eec567c7972059a75ea069e75c9502e3b052214ece755ae0a2a26271767302a04f616dd19a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a257eb2e024b7bcc48454398fb38b01

SHA1
1e2c238cc26fa9c3e86ebd3af2bc92e54f694731

SHA256
aab6af679dcb465b05ed1675df0b90a0e7005dfd638a0ba2bb47e48b04cbf0da

SHA512
84336050d6d8e03b51a28c9896456674df8fb31a4c185d1d26bf61e2667ae5c3801bb734c2cb6f1e3efb0160f3d24d2f547e55a441c44897ea8dd2a298ac87df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\domain_profile[1].htm

Filesize
40KB

MD5
8c46530cce719fc3f6bef1bd7a9b1ea9

SHA1
b328149f66dcdb6f553aa271232f82a02151af27

SHA256
395909af4e1f4330aa1088d1a8b100fa6b496ba142ddbc0106dc1ea30523b488

SHA512
57d7a8b526e05d11c4b3a095bae7fcc9f38aaa642932634cb9cef1e1a3934b9a96ae67e4533389a1c7ca7485a897e493ac5466f598a9551b77bee8f3d2db99e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE800.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE811.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.