73e4ce6e3b6c1e9f92ea8bc8f7d65ff4df1e2ba6d78fad549caf4d226b6e26eb | Triage

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 04:40 UTC

Sharing

Report Analysis Logs

General

Target

fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe
Size

291KB
MD5

fe74e997a5467841f5b915450e9d89e4
SHA1

e6b1433edb9906c504f0a1afdf7132a825743b22
SHA256

73e4ce6e3b6c1e9f92ea8bc8f7d65ff4df1e2ba6d78fad549caf4d226b6e26eb
SHA512

c5b372907fe939e6f00c53dee2c0cc5d6c444cc161541c6a10e12e5ee5a9143a9d3fbd3dff648d772f713eea9f38c4370d782ba8f0fa855a3a0eaf9b8a3ea396
SSDEEP

6144:qseuhm7O/klr2tqahdbzI6cxVcw5BbE2CApcv2M1XjWLiiacHpdt:MuhmJao5PCACvrTOi9O

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdt.sys	winsmm.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DarkstSer\Parameters\ServiceDll = "C:\\Windows\\system32\\System64.dll"	tempdir.exe

Executes dropped EXE 3 IoCs

pid	Process
3316	winsmm.exe
2996	tempdir.exe
2656	tempdir.exe

Loads dropped DLL 1 IoCs

pid	Process
4848	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.dat	tempdir.exe
File created	C:\Windows\SysWOW64\System64.dll	tempdir.exe
File created	C:\Windows\SysWOW64\KMe.bat	tempdir.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	tempdir.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3316	4720	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe	86
PID 4720 wrote to memory of 3316	4720	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe	86
PID 4720 wrote to memory of 3316	4720	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe	86
PID 3316 wrote to memory of 2996	3316	winsmm.exe	87
PID 3316 wrote to memory of 2996	3316	winsmm.exe	87
PID 3316 wrote to memory of 2996	3316	winsmm.exe	87
PID 2996 wrote to memory of 2656	2996	tempdir.exe	89
PID 2996 wrote to memory of 2656	2996	tempdir.exe	89
PID 2996 wrote to memory of 2656	2996	tempdir.exe	89
PID 2656 wrote to memory of 3424	2656	tempdir.exe	56
PID 2656 wrote to memory of 3424	2656	tempdir.exe	56
PID 2656 wrote to memory of 3424	2656	tempdir.exe	56
PID 2656 wrote to memory of 1540	2656	tempdir.exe	91
PID 2656 wrote to memory of 1540	2656	tempdir.exe	91
PID 2656 wrote to memory of 1540	2656	tempdir.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\tempdir.exe
      C:\Users\Admin\AppData\Local\Temp\tempdir.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\tempdir.exe
        
        C:\Users\Admin\AppData\Local\Temp\tempdir.exe -Nod32
        5⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\KMe.bat
        6⤵
        
        PID:1540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netservice
1⤵
- Loads dropped DLL
PID:4848

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR
DNS

winsmm.3322.org

netservice

Remote address:

8.8.8.8:53

Request

winsmm.3322.org

IN A

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

Remote address:

23.62.61.194:443

Request

GET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 5773
date: Sun, 21 Apr 2024 04:40:56 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1713674456.350ebaf9
GET

https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.194:443

Request

GET /th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1463
date: Sun, 21 Apr 2024 04:40:56 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1713674456.350ebb7b
DNS

194.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

198.32.209.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.32.209.4.in-addr.arpa

IN PTR

Response
DNS

21.114.53.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.114.53.23.in-addr.arpa

IN PTR

Response

21.114.53.23.in-addr.arpa

IN PTR

a23-53-114-21deploystaticakamaitechnologiescom
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

24.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.139.73.23.in-addr.arpa

IN PTR

Response

24.139.73.23.in-addr.arpa

IN PTR

a23-73-139-24deploystaticakamaitechnologiescom
DNS

154.173.246.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.173.246.72.in-addr.arpa

IN PTR

Response

154.173.246.72.in-addr.arpa

IN PTR

a72-246-173-154deploystaticakamaitechnologiescom
DNS

156.33.209.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

156.33.209.4.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR

Response

65.139.73.23.in-addr.arpa

IN PTR

a23-73-139-65deploystaticakamaitechnologiescom
DNS

51.15.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

51.15.97.104.in-addr.arpa

IN PTR

Response

51.15.97.104.in-addr.arpa

IN PTR

a104-97-15-51deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D6DE4BC705DD41EBB4EBB56AF1A774F7 Ref B: LON04EDGE1213 Ref C: 2024-04-21T04:42:37Z
date: Sun, 21 Apr 2024 04:42:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A5C2E5ABE22F41AC94A69B17A1B92BA2 Ref B: LON04EDGE1213 Ref C: 2024-04-21T04:42:37Z
date: Sun, 21 Apr 2024 04:42:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E8A2CC16616F4EC7BDB2A3696A228625 Ref B: LON04EDGE1213 Ref C: 2024-04-21T04:42:37Z
date: Sun, 21 Apr 2024 04:42:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A409777E0EB24FFB92DEE12471931B58 Ref B: LON04EDGE1213 Ref C: 2024-04-21T04:42:37Z
date: Sun, 21 Apr 2024 04:42:37 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

winsmm.3322.org

netservice

Remote address:

8.8.8.8:53

Request

winsmm.3322.org

IN A

Response

23.62.61.194:443

www.bing.com

tls, http2

1.3kB
4.8kB
15
12
23.62.61.194:443

https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

2.3kB
13.6kB
27
19

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

HTTP Response

200

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.7kB
8.2kB
19
15
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

76.3kB
2.1MB
1572
1565

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.7kB
8.1kB
18
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.7kB
8.2kB
19
15

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

213 B
157 B
3
1

DNS Request

4.159.190.20.in-addr.arpa

DNS Request

4.159.190.20.in-addr.arpa

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

winsmm.3322.org

dns

netservice

61 B
125 B
1
1

DNS Request

winsmm.3322.org
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

194.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

194.61.62.23.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

198.32.209.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.32.209.4.in-addr.arpa
8.8.8.8:53

21.114.53.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

21.114.53.23.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

24.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

24.139.73.23.in-addr.arpa
8.8.8.8:53

154.173.246.72.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

154.173.246.72.in-addr.arpa
8.8.8.8:53

156.33.209.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

156.33.209.4.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

65.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

65.139.73.23.in-addr.arpa
8.8.8.8:53

51.15.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

51.15.97.104.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

43.229.111.52.in-addr.arpa

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
173 B
2
1

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

winsmm.3322.org

dns

netservice

61 B
125 B
1
1

DNS Request

winsmm.3322.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe

Filesize
225KB

MD5
c9685a9486c27d37f64fa2521f276d43

SHA1
3e88a8ada69f5d3b20cec12d731b0b7ecc5c8458

SHA256
90a3b7a01912dfdaadaa3cc786fcc18b3837f7330dbb515c295a467db759fe44

SHA512
58adc5a80abcfbce73d86f0c9da73e4527a83a2854aa337b14d0c29538e14c2fab32883712664323eef175200e696880b170578d02d5fc625bd8cd7993c07b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempdir.exe

Filesize
465KB

MD5
5e4dda7df4df581270f84feb503c1997

SHA1
a625dc8fc1549f6e859bf3d19b2a112728c0b1eb

SHA256
916a97987f7171a554de264a8c1786c92d41246073fa8f1a432882466dc125fe

SHA512
c890e85ae76602ff23c3a078f3c00a331a8ee8a2c70a624731a34eba278e1b427c1e2e909a904fc278ba2040974be27a5faae36fed59c9e92b951f18280b0cbc

Download Submit
C:\Windows\SysWOW64\KMe.bat

Filesize
61B

MD5
8f3848be53fc40fa7cfceea85e573d16

SHA1
f5e07757d091a4549c1b5163d2fa853a0199f55d

SHA256
165f6a63e2302b68389779848da0166e5412c53111722885719f616ef5e18b3b

SHA512
1ea3b4311bda4032fe5b3e4c1353c654a1d49dc0105f9af5cfee8dedf9ef1a3a1c005e71890bdc87e9ffcee31c4f787ba6f0968cdfc60aa0a7febbca93300577

Download Submit
C:\Windows\SysWOW64\System64.dat

Filesize
162B

MD5
c9f55e03623a1ea7f9bcbf13d205e32b

SHA1
4e9d1f218e21035c4d36fe1b1cb9ca1620dfaabb

SHA256
df0e39eedb54ca9eadfd2254e8b263169bc65387be7243a1793afb794c7e0981

SHA512
9f5da8106b9ac6cebad0cb67864052a86c044ba3c631bfa742ca9133c1a2f6f79ac3b286b03865ee32ba1089452c9b7fa3e486d1d4390b3586d0e83a5ecd0424

Download Submit
\??\c:\windows\SysWOW64\system64.dll

Filesize
357KB

MD5
a715478f4401f70db0b423b777e6bb1c

SHA1
6d1ce804cbe10f55147ea5207e9a7a4bf5090c7a

SHA256
af04167568ccd9c6700a5f825de9d1a02144cdef1ee651ab2d78c08dbc40a5bb

SHA512
0030f6ee04c39bed886d576061f7eb0f6ec60f2d7efd3066c48394b9990161e133d3248ec4ddaa5dcfb6c00de309c9d6e13029a4768acd620dba8cab962b4130

Download Submit
memory/2656-20-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2996-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3316-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4720-0-0x0000000001000000-0x0000000001115000-memory.dmp

Filesize
1.1MB

Download
memory/4720-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4720-23-0x0000000001000000-0x0000000001115000-memory.dmp

Filesize
1.1MB

Download
memory/4848-26-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-32-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-27-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-28-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-29-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-30-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-31-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-25-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/4848-33-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-34-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-35-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-36-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-37-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-38-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-39-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download