cycbot | 615c81c523e0d149c6028933b738ce73cac4635c89c628abf5bb3dd9ea7b0acd

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2025, 14:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
Size

160KB
MD5

583263a359b914b176d69a88b3646dbf
SHA1

d89e452870806ce5b381c0383bcc21fdca21f2b3
SHA256

615c81c523e0d149c6028933b738ce73cac4635c89c628abf5bb3dd9ea7b0acd
SHA512

d89e6dad243b0d6be37f98405070ac67283ce517a6f9d9e47697fbbf8a63cd24d38671baa26ce8b9f91419775f1697f64e9648b522da4571f3af3c0720fbc354
SSDEEP

3072:XZos/wh/aG0cV/2EfaSV6UjZkbPhcslzQKzH7lre:ms/wh/ayVBJVGF5QKv

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2988-15-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/1772-16-0x0000000000400000-0x000000000048E000-memory.dmp	family_cycbot
behavioral2/memory/1772-17-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/3716-121-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/1772-122-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot
behavioral2/memory/1772-300-0x0000000000400000-0x0000000000491000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\868DC\\F98B7.exe"	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1772-3-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2988-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/2988-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1772-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1772-17-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3716-119-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3716-121-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1772-122-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1772-300-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2988	1772	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe	85
PID 1772 wrote to memory of 2988	1772	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe	85
PID 1772 wrote to memory of 2988	1772	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe	85
PID 1772 wrote to memory of 3716	1772	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe	86
PID 1772 wrote to memory of 3716	1772	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe	86
PID 1772 wrote to memory of 3716	1772	JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe startC:\Program Files (x86)\LP\B758\83B.exe%C:\Program Files (x86)\LP\B758
  2⤵
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe startC:\Program Files (x86)\DC289\lvvm.exe%C:\Program Files (x86)\DC289
  2⤵
  PID:3716

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

13.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.153.16.2.in-addr.arpa

IN PTR

Response

13.153.16.2.in-addr.arpa

IN PTR

a2-16-153-13deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

istockanalyst.com

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

8.8.8.8:53

Request

istockanalyst.com

IN A

Response

istockanalyst.com

IN A

104.21.96.1

istockanalyst.com

IN A

104.21.112.1

istockanalyst.com

IN A

104.21.48.1

istockanalyst.com

IN A

104.21.16.1

istockanalyst.com

IN A

104.21.80.1

istockanalyst.com

IN A

104.21.64.1

istockanalyst.com

IN A

104.21.32.1
GET

http://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMx

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

104.21.96.1:80

Request

GET /png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMx HTTP/1.0
Connection: close
Host: istockanalyst.com
Accept: */*
User-Agent: chrome/9.0

Response

HTTP/1.1 301 Moved Permanently

Date: Thu, 30 Jan 2025 15:35:52 GMT
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Thu, 30 Jan 2025 16:35:52 GMT
Location: https://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMx
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BI1MAtwONjrmzIzjnJZvysUwH%2FV2arq9L4B1uAaSE1fvflquLhPzoshTywg8l9WmQosgDtSWlKYsX5cybSkhK0g4pEwHiBElZrXtxP2ikrGq%2B8n9F7YvsFzvSN9eycGcvyrC5g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90a288cb1e32ef25-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26023&min_rtt=26023&rtt_var=13011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=453&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

1.96.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.96.21.104.in-addr.arpa

IN PTR

Response
DNS

m0tz8.extremeshools.com

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

8.8.8.8:53

Request

m0tz8.extremeshools.com

IN A

Response
DNS

0hai5yzc.datamediaarchive.com

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

8.8.8.8:53

Request

0hai5yzc.datamediaarchive.com

IN A

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

s95fd.mediastoreplus.com

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

8.8.8.8:53

Request

s95fd.mediastoreplus.com

IN A

Response
DNS

85.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.49.80.91.in-addr.arpa

IN PTR

Response
DNS

www.google.com

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.16.228
GET

http://www.google.com/

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

172.217.16.228:80

Request

GET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*

Response

HTTP/1.0 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJS57rwGIjAj0Dm7noSFRuOOLXffg61W0bDasZ4fyL0CYrW9FbjEEpMHODYF7uxjC3vGAFwTynkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIlbnuvAYQ75vIigESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-FhHomiu5qQ6hrxQVWnV90g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 30 Jan 2025 15:36:53 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2evyYZnEcbFgpcs3P69wyAn_6eqYAxDiFKMCuzioK7HDu7gNwzGkg; expires=Tue, 29-Jul-2025 15:36:53 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
GET

http://www.google.com/

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

172.217.16.228:80

Request

GET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIlbnuvAYQ-t7jgAMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-nsUau5KoZo7LTdv3jthBxw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 30 Jan 2025 15:36:53 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVcja2cTuJpppcXP3Z5_g0FCe91k5Hgx-9OPs42G-U85kpJFSeTW_HiM3gA; expires=Tue, 29-Jul-2025 15:36:53 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
DNS

228.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.16.217.172.in-addr.arpa

IN PTR

Response

228.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f41e100net

228.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f4�H
GET

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

Remote address:

172.217.16.228:80

Request

GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 429 Too Many Requests

Date: Thu, 30 Jan 2025 15:36:53 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
DNS

11.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.153.16.2.in-addr.arpa

IN PTR

Response

11.153.16.2.in-addr.arpa

IN PTR

a2-16-153-11deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

104.21.96.1:80

http://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMx

http

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

729 B
1.6kB
6
6

HTTP Request

GET http://istockanalyst.com/png/intel.gif?sv=773&tq=gwY92w4Amr8cy8rnO1YXXQmVjcybSIGameQZUOSfataUU91jKvgiNm%2F1C%2BRw9Nk7SpF7nq7uOw1XSoAcQM9sJpTk0lh0ZA3%2BbaF%2BW2Twp9zuVG0ZIUZ7zgJriZIwNqmpq73sG6DtUb%2BhFd6kZQbY0ULQ0jwsCSbFnTCLh%2Fxs3S84J44DrHrL0MAbRK%2FvfA9Z6rQkPMG25rX7KcX%2FnBxcaQQWiWfDN80vJKI%2B4prTCt1xvTAg1GUTOojHOQ3u0PoN%2F4SjDfGL7gAjhkau8f%2F36dh4%2B%2Fv57AB8C9WZY1BmMNfZHXMx

HTTP Response

301
127.0.0.1:62242
127.0.0.1:62242
127.0.0.1:62242
127.0.0.1:62242
172.217.16.228:80

http://www.google.com/

http

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

302 B
1.5kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
172.217.16.228:80

http://www.google.com/

http

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

307 B
1.5kB
5
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
172.217.16.228:80

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

http

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

526 B
3.7kB
6
7

HTTP Request

GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGJW57rwGIjBWvWWT3I3PsxCGYFwwbS5OTh-NARqrlfOZogjMZRY_IfMrbhl72kgsC4LPNG3aJs4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429
127.0.0.1:62242

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
127.0.0.1:62242

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe
127.0.0.1:62242

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

13.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

13.153.16.2.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

istockanalyst.com

dns

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

63 B
175 B
1
1

DNS Request

istockanalyst.com

DNS Response

104.21.96.1

104.21.112.1

104.21.48.1

104.21.16.1

104.21.80.1

104.21.64.1

104.21.32.1
8.8.8.8:53

1.96.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.96.21.104.in-addr.arpa
224.0.0.251:5353

168 B
3
8.8.8.8:53

m0tz8.extremeshools.com

dns

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

69 B
142 B
1
1

DNS Request

m0tz8.extremeshools.com
8.8.8.8:53

0hai5yzc.datamediaarchive.com

dns

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

75 B
148 B
1
1

DNS Request

0hai5yzc.datamediaarchive.com
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

s95fd.mediastoreplus.com

dns

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

70 B
143 B
1
1

DNS Request

s95fd.mediastoreplus.com
8.8.8.8:53

85.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

85.49.80.91.in-addr.arpa
8.8.8.8:53

www.google.com

dns

JaffaCakes118_583263a359b914b176d69a88b3646dbf.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.16.228
8.8.8.8:53

228.16.217.172.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

228.16.217.172.in-addr.arpa
8.8.8.8:53

11.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

11.153.16.2.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\868DC\C289.68D

Filesize
996B

MD5
48e1b2f1bf39bb626a3651b64095f024

SHA1
48dbea60c10c3b17c4daba915cfdf5336abb9466

SHA256
e6736b612b2c69448f1823f98fe601ae2c4be740feb4c15c26de625aa72bc92d

SHA512
70e29b05331df56999491f19f498ae2a6a4d372562e0afa5cc60b507c627db1c94a8d995f619c949c59af8b444ca9e61381c24c988862b2f7aac13584d7d555e

Download Submit
C:\Users\Admin\AppData\Roaming\868DC\C289.68D

Filesize
600B

MD5
dc88d9090d4414233e689e9b1650dac0

SHA1
b61584a493058b7a55e0afed285b0be8a6dc9842

SHA256
b00c0a054a13aff7059a8c6e167335d7f7d8284d41f872eb88b1dbfd7478727a

SHA512
f0fab6289d3104d93e99f53dc3a5e67b990eec8e05446ad3316561ffb829fe2a1f51211f5e66ccfcc5642f0a8ffaa3bb1dba2ce1955f850243deae815d235fb5

Download Submit
C:\Users\Admin\AppData\Roaming\868DC\C289.68D

Filesize
1KB

MD5
aa7acb89b375688e330d8ab52f0e9076

SHA1
26c05967716e3d0f2f4e9334270d68499775321b

SHA256
789c38d0dbcc5d44c185b49280f511106659bae533abade8b32501e1474f1aeb

SHA512
4003a99d90e519bff3119ece1dc1b4e59f5664843a6e08158b9fc8d94a43d6240a9a0bc71dfc24ad3c630006d770ac500b4fc63f61738ed3d20abbed7835578c

Download Submit
memory/1772-122-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1772-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1772-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1772-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1772-300-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1772-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1772-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2988-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2988-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3716-121-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3716-119-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.