Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24/01/2025, 07:07 UTC
General
-
Target
JaffaCakes118_1f14c963165d9a014e8403581ad8f503.exe
-
Size
812KB
-
MD5
1f14c963165d9a014e8403581ad8f503
-
SHA1
b86ba60b11919afbe5b7365d37ea6fc899972800
-
SHA256
4fe2982a52d3d315432d45ac13c6e0025c8dd69ea10da7916ab141833c27417b
-
SHA512
0c0bf955e34d7e1e317f7db4f67c38a9067299255b01613adda01a5e90e69b65f9eb61406955da2751f7c24e8312c14cb76fa4a5de93577ed2bb6431f4720530
-
SSDEEP
12288:4YknjLpcBNoLE126lU1tMGjYIFW4+zyZGumGgTtrDJrPsfL4oTO27uqULG1R:4Ykjlcr+8lUCpeZM3BDhPC5u/G
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 2 IoCs
Cycbot is a backdoor and trojan written in C++.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modiloader family
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
ModiLoader Second Stage 11 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f14c963165d9a014e8403581ad8f503.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f14c963165d9a014e8403581ad8f503.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f14c963165d9a014e8403581ad8f503.exeJaffaCakes118_1f14c963165d9a014e8403581ad8f503.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bxpTXK8W.exeC:\Users\Admin\bxpTXK8W.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\jlpoin.exe"C:\Users\Admin\jlpoin.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del bxpTXK8W.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\akhost.exeC:\Users\Admin\akhost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\akhost.exeakhost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\bkhost.exeC:\Users\Admin\bkhost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bkhost.exebkhost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\ckhost.exeC:\Users\Admin\ckhost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\ckhost.exeC:\Users\Admin\ckhost.exe startC:\Users\Admin\AppData\Roaming\CB173\733A5.exe%C:\Users\Admin\AppData\Roaming\CB1735⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\ckhost.exeC:\Users\Admin\ckhost.exe startC:\Program Files (x86)\73D18\lvvm.exe%C:\Program Files (x86)\73D185⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\A50C\42BB.tmp"C:\Program Files (x86)\LP\A50C\42BB.tmp"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\dkhost.exeC:\Users\Admin\dkhost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\ekhost.exeC:\Users\Admin\ekhost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_1f14c963165d9a014e8403581ad8f503.exe4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
-
DNScrl.microsoft.comRemote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A104.77.160.93a1363.dscg.akamai.netIN A104.77.160.74 -
GEThttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlRemote address:104.77.160.93:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 4de75d1f-301e-000e-252a-4c7e5a000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 24 Jan 2025 07:07:51 GMT
Connection: keep-alive
-
DNSwww.microsoft.comRemote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A23.37.198.101
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlRemote address:23.37.198.101:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: a8cbf9bc-b01e-0010-4cc4-669282000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 24 Jan 2025 07:07:52 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV42c43730.0
ms-cv-esi: CASMicrosoftCV42c43730.0
X-RTag: RT
-
DNScsc3-2004-crl.verisign.comRemote address:8.8.8.8:53Requestcsc3-2004-crl.verisign.comIN AResponse
-
DNSwl-gv7.babos-club.comRemote address:8.8.8.8:53Requestwl-gv7.babos-club.comIN AResponse
-
DNScdn.adventofdeception.comRemote address:8.8.8.8:53Requestcdn.adventofdeception.comIN AResponsecdn.adventofdeception.comIN A199.59.243.228
-
GEThttp://cdn.adventofdeception.com/logo.png?sv=368&tq=gwY92w4AnpPPo7al8BD6U4jLHrnp0MLrpDkgDGkHXqaDR54JbEZcB7C7S6oYJmzNs5CL1avTwxUok5OE1XAKJqb8qjdusXY6PS12mu4j5lGnpkk%2BSgBs1t32XNORkGCbY3GJfrIg7v3pnhDe6KjqNudRggCq6b3WQP7so5mz%2F2vUnZxO07vsZSV1PGBi2%2FBV%2FDfHJ%2FaCKj3Rxz42KbsahEoKqkTfgao%2Bt63CKmt3neWJNYg8CUidtqc46lBLATy7hdNGyVm5cOUjDwwJlLZbEs7nHuRNeTpzlUo5L0Nvzb6GaiRemote address:199.59.243.228:80RequestGET /logo.png?sv=368&tq=gwY92w4AnpPPo7al8BD6U4jLHrnp0MLrpDkgDGkHXqaDR54JbEZcB7C7S6oYJmzNs5CL1avTwxUok5OE1XAKJqb8qjdusXY6PS12mu4j5lGnpkk%2BSgBs1t32XNORkGCbY3GJfrIg7v3pnhDe6KjqNudRggCq6b3WQP7so5mz%2F2vUnZxO07vsZSV1PGBi2%2FBV%2FDfHJ%2FaCKj3Rxz42KbsahEoKqkTfgao%2Bt63CKmt3neWJNYg8CUidtqc46lBLATy7hdNGyVm5cOUjDwwJlLZbEs7nHuRNeTpzlUo5L0Nvzb6Gai HTTP/1.0
Connection: close
Host: cdn.adventofdeception.com
Accept: */*
User-Agent: chrome/9.0
ResponseHTTP/1.1 200 OK
date: Fri, 24 Jan 2025 07:07:53 GMT
content-type: text/html; charset=utf-8
content-length: 1970
x-request-id: 6d67ce78-99c9-4b84-a6ee-70eb033969b7
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ncUS5+aC8tFocKhViuN5+1xivWLEFnK7NGTuR8sjZoHHjM+8hl4HCeeK89y7i4O+dKJZP5nDa/og2h5jbci6Tg==
set-cookie: parking_session=6d67ce78-99c9-4b84-a6ee-70eb033969b7; expires=Fri, 24 Jan 2025 07:22:54 GMT; path=/
connection: close
-
DNSux01hz8y.audioandvideoportal.comRemote address:8.8.8.8:53Requestux01hz8y.audioandvideoportal.comIN AResponse
-
DNSqq1msop-.fastdataupload.comRemote address:8.8.8.8:53Requestqq1msop-.fastdataupload.comIN AResponse
-
DNS8fh.audioandvideoportal.comRemote address:8.8.8.8:53Request8fh.audioandvideoportal.comIN AResponse
-
DNSTRANSERSDATAFORME.COMRemote address:8.8.8.8:53RequestTRANSERSDATAFORME.COMIN AResponse
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.179.228
-
GEThttp://www.google.com/Remote address:142.250.179.228:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIb5zLwGIjA7Zdn7sNgCZc7QzbSaMcSooO1hMgmIObVLZnKQO-6TjZEpZrhDS7wV3QmDDqwsu0IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIhvnMvAYQ5YL68QISBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-L333U6tMT6LtPgdGu3N1gA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 24 Jan 2025 07:08:54 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-XVFeLwSqx9SS24NkSV3YvG58SVJS4kl-SaoP81x8ABIO7iyKQkcw; expires=Wed, 23-Jul-2025 07:08:54 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
GEThttp://www.google.com/Remote address:142.250.179.228:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIb5zLwGIjA7Zdn7sNgCZc7QzbSaMcSooO1hMgmIObVLZnKQO-6TjZEpZrhDS7wV3QmDDqwsu0IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgsIh_nMvAYQkJqdOxIEtdewUw
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-AeHVaeWHkCjaJBsrUpU7RQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 24 Jan 2025 07:08:55 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-X4ENGyV5unjhCPRNPWepfVvP4HBsQV_ICWP3M9fEhonSTvv7N3HQU; expires=Wed, 23-Jul-2025 07:08:55 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIb5zLwGIjA7Zdn7sNgCZc7QzbSaMcSooO1hMgmIObVLZnKQO-6TjZEpZrhDS7wV3QmDDqwsu0IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMRemote address:142.250.179.228:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGIb5zLwGIjA7Zdn7sNgCZc7QzbSaMcSooO1hMgmIObVLZnKQO-6TjZEpZrhDS7wV3QmDDqwsu0IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Date: Fri, 24 Jan 2025 07:08:55 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3086
X-XSS-Protection: 0
Connection: close
-
104.77.160.93:80http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlhttp
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
23.37.198.101:80http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlhttp
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
199.59.243.228:80http://cdn.adventofdeception.com/logo.png?sv=368&tq=gwY92w4AnpPPo7al8BD6U4jLHrnp0MLrpDkgDGkHXqaDR54JbEZcB7C7S6oYJmzNs5CL1avTwxUok5OE1XAKJqb8qjdusXY6PS12mu4j5lGnpkk%2BSgBs1t32XNORkGCbY3GJfrIg7v3pnhDe6KjqNudRggCq6b3WQP7so5mz%2F2vUnZxO07vsZSV1PGBi2%2FBV%2FDfHJ%2FaCKj3Rxz42KbsahEoKqkTfgao%2Bt63CKmt3neWJNYg8CUidtqc46lBLATy7hdNGyVm5cOUjDwwJlLZbEs7nHuRNeTpzlUo5L0Nvzb6Gaihttp
HTTP Request
GET http://cdn.adventofdeception.com/logo.png?sv=368&tq=gwY92w4AnpPPo7al8BD6U4jLHrnp0MLrpDkgDGkHXqaDR54JbEZcB7C7S6oYJmzNs5CL1avTwxUok5OE1XAKJqb8qjdusXY6PS12mu4j5lGnpkk%2BSgBs1t32XNORkGCbY3GJfrIg7v3pnhDe6KjqNudRggCq6b3WQP7so5mz%2F2vUnZxO07vsZSV1PGBi2%2FBV%2FDfHJ%2FaCKj3Rxz42KbsahEoKqkTfgao%2Bt63CKmt3neWJNYg8CUidtqc46lBLATy7hdNGyVm5cOUjDwwJlLZbEs7nHuRNeTpzlUo5L0Nvzb6GaiHTTP Response
200 -
127.0.0.1:80 -
127.0.0.1:80
-
127.0.0.1:80
-
127.0.0.1:80
-
142.250.179.228:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
142.250.179.228:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
142.250.179.228:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIb5zLwGIjA7Zdn7sNgCZc7QzbSaMcSooO1hMgmIObVLZnKQO-6TjZEpZrhDS7wV3QmDDqwsu0IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttp
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGIb5zLwGIjA7Zdn7sNgCZc7QzbSaMcSooO1hMgmIObVLZnKQO-6TjZEpZrhDS7wV3QmDDqwsu0IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
66.66.75.236:25700
-
69.221.175.37:25700
-
69.114.217.176:25700
-
76.126.2.121:25700
-
69.123.4.226:25700
-
67.171.42.220:25700
-
99.171.163.31:25700
-
68.63.68.216:25700
-
75.73.231.107:25700
-
98.218.162.32:25700
-
99.41.211.208:25700
-
74.75.238.178:25700
-
97.91.83.163:25700
-
190.44.185.5:25700 -
174.117.116.79:25700 -
98.225.202.169:25700
-
71.87.127.70:25700
-
174.77.43.12:25700
-
107.3.90.209:25700
-
66.91.197.225:25700
-
65.28.241.214:25700
-
72.209.182.181:25700
-
174.70.163.141:25700
-
76.182.161.128:25700
-
65.188.38.219:25700
-
98.28.177.77:25700
-
69.125.39.47:25700
-
68.231.238.37:25700
-
50.128.167.127:25700
-
99.55.93.68:25700
-
68.52.185.121:25700
-
24.214.122.81:25700
-
173.97.208.78:25700
-
71.89.139.9:25700
-
173.30.41.72:25700
-
71.56.23.35:25700
-
70.65.3.159:25700
-
65.191.108.70:25700
-
173.3.96.14:25700
-
50.113.7.12:25700
-
174.59.117.204:25700
-
84.52.210.234:25700 -
89.100.3.5:25700 -
68.13.155.187:25700
-
216.236.162.203:25700
-
137.49.139.58:25700
-
91.207.60.22:25700 -
149.84.202.83:25700
-
74.226.113.29:25700 -
97.88.136.114:25700
-
70.227.160.242:25700
-
66.58.168.110:25700
-
75.66.39.93:25700
-
74.211.45.162:25700
-
96.32.241.143:25700
-
50.44.52.50:25700
-
71.74.1.168:25700
-
74.197.42.12:25700
-
75.139.91.80:25700
-
75.129.148.60:25700
-
76.180.163.80:25700
-
76.185.79.59:25700
-
203.185.21.16:25700 -
50.12.126.225:25700
-
69.125.122.9:25700
-
74.131.129.204:25700
-
98.170.250.83:25700
-
71.84.67.214:25700
-
71.196.217.187:25700
-
92.224.159.152:25700 -
71.87.217.168:25700
-
24.128.182.53:25700
-
98.236.110.41:25700
-
66.31.66.79:25700
-
68.81.104.205:25700
-
70.190.184.149:25700
-
68.226.91.42:25700
-
71.20.151.4:25700
-
173.26.197.202:25700
-
71.226.67.98:25700
-
50.15.1.86:25700
-
69.125.67.98:25700
-
174.109.164.206:25700
-
71.192.60.8:25700
-
69.126.149.232:25700
-
75.253.30.182:25700
-
173.89.4.171:25700
-
72.200.198.211:25700
-
68.107.227.97:25700
-
84.208.48.96:25700
-
68.54.124.227:25700
-
187.24.182.210:25700 -
50.11.8.167:25700
-
108.116.175.63:25700
-
86.52.94.215:25700 -
69.125.22.247:25700
-
173.131.28.149:25700
-
50.83.184.113:25700
-
76.31.149.127:25700
-
67.252.129.106:25700
-
97.84.170.90:25700
-
115.131.193.248:25700 -
24.211.210.177:25700
-
98.209.6.47:25700
-
24.252.75.188:25700
-
184.77.6.153:25700
-
71.239.50.87:25700
-
68.56.223.224:25700
-
24.185.198.1:25700
-
65.60.225.117:25700
-
76.78.160.224:25700
-
96.26.164.218:25700
-
75.213.136.82:25700
-
69.135.174.15:25700
-
173.218.1.131:25700
-
24.52.224.102:25700
-
75.200.17.191:25700
-
76.28.115.38:25700
-
68.4.212.201:25700
-
24.10.116.46:25700
-
67.173.132.139:25700
-
109.53.98.61:25700 -
68.5.45.68:25700
-
174.110.230.51:25700
-
75.82.21.211:25700
-
173.21.131.148:25700
-
99.51.245.71:25700
-
76.20.27.227:25700
-
68.83.235.85:25700
-
74.197.122.126:25700
-
76.236.24.118:25700
-
75.42.73.174:25700
-
72.218.15.248:25700
-
173.213.135.163:25700
-
24.186.90.66:25700
-
107.10.205.144:25700
-
76.22.243.59:25700
-
65.32.210.157:25700
-
178.164.168.226:25700 -
46.175.99.212:25700 -
67.172.34.84:25700
-
70.189.97.4:25700
-
75.109.85.6:25700
-
76.119.177.77:25700
-
67.86.111.50:25700
-
67.49.115.230:25700
-
67.172.11.195:25700
-
89.42.252.125:25700 -
76.117.36.158:25700
-
98.198.30.69:25700
-
84.72.47.32:25700 -
24.3.233.65:25700
-
50.28.176.188:25700
-
71.92.38.231:25700
-
98.154.180.98:25700
-
76.111.247.51:25700
-
76.178.106.182:25700
-
161.253.44.182:25700
-
71.37.165.170:25700
-
69.255.33.164:25700
-
95.76.146.76:25700
-
92.41.103.147:25700
-
76.169.26.140:25700
-
69.115.8.86:25700
-
98.239.98.105:25700
-
74.79.248.157:25700
-
72.211.208.160:25700
-
69.122.208.163:25700
-
75.253.45.73:25700
-
98.229.235.64:25700
-
24.146.171.229:25700
-
68.12.241.58:25700
-
68.105.52.133:25700
-
98.201.161.232:25700
-
173.19.147.112:25700
-
24.242.101.211:25700
-
24.89.26.47:25700
-
71.22.87.118:25700
-
98.160.255.208:25700
-
24.165.109.182:25700
-
71.60.153.61:25700
-
189.158.93.153:25700 -
76.111.7.94:25700
-
71.79.67.85:25700
-
169.231.114.95:25700
-
24.117.119.234:25700
-
71.226.65.34:25700
-
75.223.35.126:25700
-
68.80.188.50:25700
-
184.243.103.207:25700
-
98.232.29.165:25700
-
24.7.10.72:25700
-
89.78.112.128:25700
-
70.178.6.28:25700
-
8.8.8.8:53crl.microsoft.comdns
DNS Request
crl.microsoft.com
DNS Response
104.77.160.93104.77.160.74
-
8.8.8.8:53www.microsoft.comdns
DNS Request
www.microsoft.com
DNS Response
23.37.198.101
-
8.8.8.8:53csc3-2004-crl.verisign.comdns
DNS Request
csc3-2004-crl.verisign.com
-
8.8.8.8:53wl-gv7.babos-club.comdns
DNS Request
wl-gv7.babos-club.com
-
8.8.8.8:53cdn.adventofdeception.comdns
DNS Request
cdn.adventofdeception.com
DNS Response
199.59.243.228
-
8.8.8.8:53ux01hz8y.audioandvideoportal.comdns
DNS Request
ux01hz8y.audioandvideoportal.com
-
8.8.8.8:53qq1msop-.fastdataupload.comdns
DNS Request
qq1msop-.fastdataupload.com
-
8.8.8.8:538fh.audioandvideoportal.comdns
DNS Request
8fh.audioandvideoportal.com
-
8.8.8.8:53TRANSERSDATAFORME.COMdns
DNS Request
TRANSERSDATAFORME.COM
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.179.228
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD54af4a1c4f2d4c664d068eecac005a35a
SHA1d113bfefaa6c782c51949625c18dee523558c178
SHA25620524548e756516696a0e1f25157351d06a5c83b725c55554d78cd96b427c11f
SHA51232f9f5f90a389445c135f172f231a714a1195165bb7efac809dafded2fe0594b5af9a5b7ca97e11a2fc5e50f85eed66fabd36e266dd29c871971736d0c3d1982
-
Filesize
996B
MD506e8054e5de3829ac6b5a39da42814c8
SHA1a3d1d45805e7c209942db30caed8754007603024
SHA256b6efd2b776c5346cc5c8f4d275f568e46edfff1b1f78e83243a12260aa9b6fe7
SHA5126b506487dd78eda1806c61672606cd682340f644495aef03bbe6d22f359b622d901760fcb7b1f2fa304c2d7f639161a3b8976848c23d9f712c220389002f3639
-
Filesize
1KB
MD544472b7158fd42fd46d42255c9e1c7c3
SHA15d3cd54257a14d2700014412a7cfda578bb0f5cf
SHA256279b37a7cca8d0eab516969709c5a05f6c1269977e2af0c3136598867f22bd43
SHA512faf0c0808fd253ce0b7c871baaf26a16ba06e4070507484c9fac36817338e3a9ab33089beeb3e5ba92b6a2c278c2a173ead0482a2b6c0cb90d65a4c1d814d71c
-
Filesize
240KB
MD50a67782f34b335fe42be835ad4542124
SHA1c1838a364f27ed7b8a463edefeabf8d762d1f149
SHA2564f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c
SHA5124dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
2KB
MD5d69531cdfc5c6f9aa693ce4be7630b27
SHA16fc0c7a50a97533422ec640ec5f5345159fa350c
SHA256b636339e056aa181cf8443243f7a004998d9f9429234a1ff522a6fd581194bfd
SHA512776d42928faae086352fdbb98dd5b7652675f3760a832c695d9ce753ff1ec5de72a8f91628e604fa4866c0171727797e1a4b243ce5b04068689cc3f4a5513217
-
Filesize
99KB
MD51e68864c3deefd4a81f2f505740f09fc
SHA18a12dea68e9924e27bed3076674ddd5e9448c443
SHA256a25f10f13be9dc44c25c88c0834ffce455e0e7ad0d7e4a32c825120c3a5dc1bf
SHA51260c98b7a8dfaba961363edbac2d58996b246b5a2e472b064173fa501ab06e3b800449e5020252450e73f13e1a59c704e10d778ee972396a19389217b0f0b4bce
-
Filesize
229KB
MD52c895814249b3630f5ef87aef065a6d2
SHA1785a02f3a3c958fb2f3fa7ce26860b65da34939d
SHA256cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a
SHA51214e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c
-
Filesize
122KB
MD56adba45c3cd86e3e4179c2489adc3ed0
SHA1c856828981816a028d9948d4e90e83779ba00cc6
SHA256e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8
SHA51213404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672
-
Filesize
184KB
MD52261c2411c6e581bf496a0be8d46c6d8
SHA179e709807dff36c8d9936db05c0adcce54a1a290
SHA25620e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418
SHA512622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd
-
Filesize
279KB
MD5b4004c548fec0ae0f7264b509b95e4d8
SHA16142664dc2b3ce927fecb96fa18a1dbc5219ae8f
SHA2563f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56
SHA512750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90
-
Filesize
32KB
MD549e105d54bf4201e39ef974f9e5c24dc
SHA170737f6e75e250cfa335f8ef10be4b934f6fa1af
SHA256a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119
SHA5127b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe
-
Filesize
184KB
MD5ec214b27b3c44093bb93ab28dd935d89
SHA1f428984371d8f5b9db73bd4e0e8cd2bfdf2c5914
SHA256137eb165e3e4a8f35e774f895c99fcbd4943ce70db3f280288b5658a885891a3
SHA512e2d4800e61d91bba98d90fb60e83e7c437f6ad384b6e89edceadd86fa6f66d5b50e7511ff434bcc741d53c6e04cc78aa1c4011168cf8d470226a407cb0c64b7d
-
Filesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
92KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
428KB
-
Filesize
92KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
220KB
-
Filesize
428KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
372KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
88KB