Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 09:39 UTC

General

  • Target

    859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe

  • Size

    109KB

  • MD5

    859c3f171bcb3ed7d10007ec71f98082

  • SHA1

    b02a91d37762e485e02284ad13040522ea41471c

  • SHA256

    295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

  • SHA512

    9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391

  • SSDEEP

    3072:08jQ/bYnmYQus2HoUqrdT1x/QaiAjnLq845OKzNm:0IQ/b4nqbdB9Xnt45VRm

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\inf\svchosts.exe
      "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080521.dll tanlt88
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\system\sgcxcxxaspf080521.exe
          "C:\Windows\system\sgcxcxxaspf080521.exe" i
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4060
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:632

Network

  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    api.bing.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    192.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    192.142.123.92.in-addr.arpa
    IN PTR
    Response
    192.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-192deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    161.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    161.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 405350
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 710D0AC127F84935AA7970FF7E7268C3 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
    date: Sat, 10 Aug 2024 09:41:19 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 719294
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A37E2C4C21714D48BC3FD5B9EA255F6C Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
    date: Sat, 10 Aug 2024 09:41:19 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 561868
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0ACC5BCB57044E8FA86B5C8E5309F8F2 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
    date: Sat, 10 Aug 2024 09:41:19 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 830618
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6D43084B9B8441BE98A8B7397901D81C Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
    date: Sat, 10 Aug 2024 09:41:19 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 712307
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 549E42CAEEF84859A6575D7C97835147 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
    date: Sat, 10 Aug 2024 09:41:19 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 718774
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 89266A52C4634B6E9F044B62E853FF42 Ref B: LON04EDGE0817 Ref C: 2024-08-10T09:41:20Z
    date: Sat, 10 Aug 2024 09:41:19 GMT
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    IEXPLORE.EXE
    1.2kB
    8.6kB
    16
    14
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    7.2kB
    16
    12
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    7.2kB
    16
    12
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    7.2kB
    16
    11
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    7.2kB
    16
    12
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    144.1kB
    4.1MB
    2968
    2962

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360453660_1FJYLRXUGJ1KYC379&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301582_1MLHFWTHBIK9NA4JB&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360453482_1OGQPWVCF77KWCMMI&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301173_11CL6NTG6CSIMT5HR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    144 B
    146 B
    2
    1

    DNS Request

    157.123.68.40.in-addr.arpa

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    api.bing.com
    dns
    IEXPLORE.EXE
    58 B
    134 B
    1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    192.142.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    192.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    161.19.199.152.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    161.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
    106 B
    1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Windows\SysWOW64\inf\svchosts.exe

    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

  • C:\Windows\SysWOW64\lwfdfia16_080521.dll

    Filesize

    30KB

    MD5

    545b50208a7058cbf817f692abf5e7ee

    SHA1

    e1cf5613dee8bb51102a0c0da99bf515db2c96ff

    SHA256

    329ae4cdebde953f989ebb0a7a815e9eeaf0f5b780cfaa6f4f37aeb8ae7194fe

    SHA512

    c17cc9d3d69b43fd9cba1465eecc637eba4dd2396cee488be26adb35d93d5926358bc782db75aef1d262094181a9a863f9cc1025a3a7b3c161b76fe3d41149a4

  • C:\Windows\SysWOW64\mdccasys32_080521.dll

    Filesize

    218KB

    MD5

    b64ce329b1243662ee34c2b15ee00aff

    SHA1

    a7b4fc826fb785ca8c1be74f665a7204c848b300

    SHA256

    17353a78a579784ad3194e3d19ca10ad8cbbb2f39bc7651f5f3e264932694a31

    SHA512

    ccaa27d3db61a8976f43439891afb27695982752cc1bccf5173300584e45a785191f9d991c26e2570acfe08550cc45168301200bc5a76803aad7847e2d8ce8b1

  • C:\Windows\System\sgcxcxxaspf080521.exe

    Filesize

    109KB

    MD5

    859c3f171bcb3ed7d10007ec71f98082

    SHA1

    b02a91d37762e485e02284ad13040522ea41471c

    SHA256

    295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

    SHA512

    9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391

  • C:\Windows\pwisys.ini

    Filesize

    46B

    MD5

    02a44daab973d76f4d098b09bb769341

    SHA1

    f08c38e8f4204154b5e0abd563e52eb8ac18daba

    SHA256

    7c0b825425cd7bf72504488463b492b9c8531ea796988fcf7f7f5868a2293f73

    SHA512

    1320a0f8fbd6ee431a636d932994d53a6253ce9ba8847d0efd7c99f3e2817d2f5edba39cdd6a5fcf7e94938ad0933a2b3eb951a24836efec01fb8a4dc5558d90

  • C:\Windows\pwisys.ini

    Filesize

    462B

    MD5

    e4a597ac6a528195d251d510df8bf71a

    SHA1

    76a5b62d6b91e31d813cd62d2119430f3fbe55a0

    SHA256

    37dac674fe56c07abad128bc012f3c3376e530b851a00ff482188d6ca5ff474a

    SHA512

    2f5ae4438c38186f3abb996325cae79c3abe7208807a8308f716213f73d1c0c70746db623d2c644e9535759f1c5519fb26279700722f6e2b35bf0163f5eaba87

  • C:\Windows\pwisys.ini

    Filesize

    378B

    MD5

    abbaa9a765414a0fdc24dbe9ce532f40

    SHA1

    bfe805d6ddf84697841ec4755c82c7e9e93f3d24

    SHA256

    2ef297d5f1d5fc24ab4a4bddedf70e40392a0482f36655599aeabb2a1c142b1c

    SHA512

    11f82c93d9a40bff0567dbda7abce71c9d691c27e9fcb754b1389ee97a73915bf364e2948038e2bfe0cab5a3881837ba336ecfdec6399027f852edc20f04c6b1

  • C:\Windows\pwisys.ini

    Filesize

    406B

    MD5

    3bde21d9225f08f610849475259a2ad0

    SHA1

    c5924b016d75c7e55dc9162a7a067268e80be0ab

    SHA256

    4838d22a50bc7f72121943a280852048e50d04e7e6af7d1a23586125a4d02860

    SHA512

    57a1defff7079ed624619e48fe8a3c2564e6d8a99eff0f965c05f246cbd957266a3725ee851b4a360dc6761aca499bd376126c7c649db4cf2c7e4b9b46c11988

  • C:\Windows\pwisys.ini

    Filesize

    412B

    MD5

    33f58ad13eb73a2db5f5742c1abdec6f

    SHA1

    95d0b31201ca35e38cac6d72ca948ff570849c42

    SHA256

    508da3348f05bcc4023b176828f985553a36411b9b722fbc1fa53b70ce3c78d1

    SHA512

    41d408242301fa7dfa011bbd2c49dadb83cddc690658bad68bb3a1d1c247891ffc73362536628a49e384be9a3303c99956c51acb23af3981af28aaa531e80e12

  • C:\Windows\pwisys.ini

    Filesize

    445B

    MD5

    31455763d54417b06d02539065e0bd4b

    SHA1

    575d9e0ec77264f5d38d5d2b1aa268b4bf75cd60

    SHA256

    c355f3d72c07223261bdb91f4e4b6231ee02ea253909c60320cf42e95a40af92

    SHA512

    e2f85bc5a4d21bd215703ef64bc93243f351dfbe554a0db1140d96d79ac9ea93c03a1d3dbb858a4e5c5b4c6e428fcbf6b558f8ed8eff75638de7899c3d522394

  • C:\Windows\pwisys.ini

    Filesize

    472B

    MD5

    ba68736bb091dfa427efa5dd6185087d

    SHA1

    57ab795d4cc4997dbbda06d19e9425b57b1c16e4

    SHA256

    05501ed09119326c1f79664d8d19bea3f796945b55426a864af3d55b8940ee2d

    SHA512

    ceecf9600f260b02394e04b54f9f4e42dc718bcf300a22c2a7dcb9d1c6b18191cfbc5d512bde67e05cf5dea4ac5c3d4501649bfaba892002a904354376fbce08

  • \??\c:\mylstecj.bat

    Filesize

    53B

    MD5

    a030a092e0004463d8277d9a7f5aa38a

    SHA1

    544bd23833a144c2bb965b494253aedf2a78f27c

    SHA256

    09973710a0dbef6e906db4dfa88b531ff2abe02a3af84b37adfb9e0c387a52e9

    SHA512

    c3306df79ab7820046a9144e7949fb6a5da56f1ca900f89fd1f6ab8f477b24b8364ed01f98f75ea0c14de35a380314aeb9f840b5e4eef77cf6c48a223a31bb47

  • memory/3604-72-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-85-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-108-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/3604-109-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.