Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 06:36
Behavioral task
behavioral1
Sample
f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
f7c7d0bd153c8d765580e2d85b8312a1
-
SHA1
9bb9e14e8c82f0b89f7a57e728c51676827bcfc8
-
SHA256
5e29d859f5c04a364ed071e6b919ecec966730803577adc4006e34d1b1cc2229
-
SHA512
06cfe8a830e83e620f4daec0dbfd09a25a1e35bf6357f78f6fff6e23218cdae571a6f863ba329aad167b2424bd6c1b53793e22b8ab234252af760a434f108be7
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWwwF
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2548 explorer.exe 2440 explorer.exe 2568 spoolsv.exe 4724 spoolsv.exe 392 spoolsv.exe 3208 spoolsv.exe 2580 spoolsv.exe 2096 spoolsv.exe 4360 spoolsv.exe 3164 spoolsv.exe 1732 spoolsv.exe 3176 spoolsv.exe 4904 spoolsv.exe 4592 spoolsv.exe 5004 spoolsv.exe 1300 spoolsv.exe 2492 spoolsv.exe 3640 spoolsv.exe 3876 spoolsv.exe 3008 spoolsv.exe 728 spoolsv.exe 3284 spoolsv.exe 2176 spoolsv.exe 3696 spoolsv.exe 4556 spoolsv.exe 832 spoolsv.exe 2756 spoolsv.exe 4060 spoolsv.exe 4176 spoolsv.exe 1140 spoolsv.exe 1512 spoolsv.exe 3148 spoolsv.exe 3896 spoolsv.exe 3812 explorer.exe 5080 spoolsv.exe 4628 spoolsv.exe 4580 spoolsv.exe 3540 spoolsv.exe 1620 explorer.exe 4624 spoolsv.exe 3796 spoolsv.exe 5008 spoolsv.exe 2332 spoolsv.exe 4308 spoolsv.exe 4620 spoolsv.exe 5016 spoolsv.exe 2148 explorer.exe 1076 spoolsv.exe 4608 spoolsv.exe 2796 spoolsv.exe 748 spoolsv.exe 4108 explorer.exe 4524 spoolsv.exe 376 spoolsv.exe 4116 spoolsv.exe 1536 spoolsv.exe 2656 spoolsv.exe 4128 spoolsv.exe 3472 explorer.exe 2912 spoolsv.exe 1132 spoolsv.exe 2432 spoolsv.exe 2204 spoolsv.exe 1920 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 56 IoCs
description pid Process procid_target PID 2880 set thread context of 5012 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 97 PID 2548 set thread context of 2440 2548 explorer.exe 102 PID 2568 set thread context of 3896 2568 spoolsv.exe 134 PID 4724 set thread context of 4628 4724 spoolsv.exe 137 PID 392 set thread context of 4580 392 spoolsv.exe 138 PID 3208 set thread context of 3540 3208 spoolsv.exe 139 PID 2580 set thread context of 3796 2580 spoolsv.exe 142 PID 2096 set thread context of 5008 2096 spoolsv.exe 143 PID 4360 set thread context of 2332 4360 spoolsv.exe 144 PID 3164 set thread context of 4308 3164 spoolsv.exe 145 PID 1732 set thread context of 4620 1732 spoolsv.exe 146 PID 3176 set thread context of 5016 3176 spoolsv.exe 147 PID 4904 set thread context of 4608 4904 spoolsv.exe 150 PID 4592 set thread context of 2796 4592 spoolsv.exe 151 PID 5004 set thread context of 748 5004 spoolsv.exe 152 PID 1300 set thread context of 376 1300 spoolsv.exe 155 PID 2492 set thread context of 4116 2492 spoolsv.exe 156 PID 3640 set thread context of 1536 3640 spoolsv.exe 157 PID 3876 set thread context of 2656 3876 spoolsv.exe 158 PID 3008 set thread context of 4128 3008 spoolsv.exe 160 PID 728 set thread context of 1132 728 spoolsv.exe 163 PID 3284 set thread context of 2432 3284 spoolsv.exe 164 PID 2176 set thread context of 2204 2176 spoolsv.exe 165 PID 3696 set thread context of 1920 3696 spoolsv.exe 166 PID 4556 set thread context of 5032 4556 spoolsv.exe 167 PID 832 set thread context of 4528 832 spoolsv.exe 168 PID 2756 set thread context of 4064 2756 spoolsv.exe 171 PID 4060 set thread context of 3552 4060 spoolsv.exe 172 PID 4176 set thread context of 964 4176 spoolsv.exe 173 PID 1140 set thread context of 2584 1140 spoolsv.exe 174 PID 1512 set thread context of 1644 1512 spoolsv.exe 177 PID 3148 set thread context of 3140 3148 spoolsv.exe 178 PID 3812 set thread context of 1456 3812 explorer.exe 183 PID 5080 set thread context of 1296 5080 spoolsv.exe 184 PID 1620 set thread context of 1624 1620 explorer.exe 193 PID 4624 set thread context of 1840 4624 spoolsv.exe 194 PID 2148 set thread context of 4024 2148 explorer.exe 198 PID 1076 set thread context of 4388 1076 spoolsv.exe 199 PID 4108 set thread context of 924 4108 explorer.exe 210 PID 4524 set thread context of 5524 4524 spoolsv.exe 211 PID 3472 set thread context of 5716 3472 explorer.exe 216 PID 2912 set thread context of 5780 2912 spoolsv.exe 217 PID 1848 set thread context of 5684 1848 explorer.exe 221 PID 2324 set thread context of 6136 2324 spoolsv.exe 223 PID 4492 set thread context of 5740 4492 explorer.exe 226 PID 852 set thread context of 3584 852 spoolsv.exe 227 PID 4348 set thread context of 6048 4348 spoolsv.exe 229 PID 2864 set thread context of 3412 2864 spoolsv.exe 232 PID 4064 set thread context of 4816 4064 explorer.exe 234 PID 1912 set thread context of 5936 1912 spoolsv.exe 235 PID 180 set thread context of 4332 180 spoolsv.exe 236 PID 3516 set thread context of 6068 3516 spoolsv.exe 237 PID 4848 set thread context of 6132 4848 spoolsv.exe 238 PID 4504 set thread context of 5516 4504 spoolsv.exe 240 PID 3456 set thread context of 2832 3456 explorer.exe 241 PID 400 set thread context of 1828 400 spoolsv.exe 242 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5012 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 5012 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2440 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5012 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 5012 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 3896 spoolsv.exe 3896 spoolsv.exe 4628 spoolsv.exe 4628 spoolsv.exe 4580 spoolsv.exe 4580 spoolsv.exe 3540 spoolsv.exe 3540 spoolsv.exe 3796 spoolsv.exe 3796 spoolsv.exe 5008 spoolsv.exe 5008 spoolsv.exe 2332 spoolsv.exe 2332 spoolsv.exe 4308 spoolsv.exe 4308 spoolsv.exe 4620 spoolsv.exe 4620 spoolsv.exe 5016 spoolsv.exe 5016 spoolsv.exe 4608 spoolsv.exe 4608 spoolsv.exe 2796 spoolsv.exe 2796 spoolsv.exe 748 spoolsv.exe 748 spoolsv.exe 376 spoolsv.exe 376 spoolsv.exe 4116 spoolsv.exe 4116 spoolsv.exe 1536 spoolsv.exe 1536 spoolsv.exe 2656 spoolsv.exe 2656 spoolsv.exe 4128 spoolsv.exe 4128 spoolsv.exe 1132 spoolsv.exe 1132 spoolsv.exe 2432 spoolsv.exe 2432 spoolsv.exe 2204 spoolsv.exe 2204 spoolsv.exe 1920 spoolsv.exe 1920 spoolsv.exe 5032 spoolsv.exe 5032 spoolsv.exe 4528 spoolsv.exe 4528 spoolsv.exe 4064 spoolsv.exe 4064 spoolsv.exe 3552 spoolsv.exe 3552 spoolsv.exe 964 spoolsv.exe 964 spoolsv.exe 2584 spoolsv.exe 2584 spoolsv.exe 1644 spoolsv.exe 1644 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 3900 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 85 PID 2880 wrote to memory of 3900 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 85 PID 2880 wrote to memory of 5012 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 97 PID 2880 wrote to memory of 5012 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 97 PID 2880 wrote to memory of 5012 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 97 PID 2880 wrote to memory of 5012 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 97 PID 2880 wrote to memory of 5012 2880 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 97 PID 5012 wrote to memory of 2548 5012 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 98 PID 5012 wrote to memory of 2548 5012 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 98 PID 5012 wrote to memory of 2548 5012 f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe 98 PID 2548 wrote to memory of 2440 2548 explorer.exe 102 PID 2548 wrote to memory of 2440 2548 explorer.exe 102 PID 2548 wrote to memory of 2440 2548 explorer.exe 102 PID 2548 wrote to memory of 2440 2548 explorer.exe 102 PID 2548 wrote to memory of 2440 2548 explorer.exe 102 PID 2440 wrote to memory of 2568 2440 explorer.exe 103 PID 2440 wrote to memory of 2568 2440 explorer.exe 103 PID 2440 wrote to memory of 2568 2440 explorer.exe 103 PID 2440 wrote to memory of 4724 2440 explorer.exe 104 PID 2440 wrote to memory of 4724 2440 explorer.exe 104 PID 2440 wrote to memory of 4724 2440 explorer.exe 104 PID 2440 wrote to memory of 392 2440 explorer.exe 105 PID 2440 wrote to memory of 392 2440 explorer.exe 105 PID 2440 wrote to memory of 392 2440 explorer.exe 105 PID 2440 wrote to memory of 3208 2440 explorer.exe 106 PID 2440 wrote to memory of 3208 2440 explorer.exe 106 PID 2440 wrote to memory of 3208 2440 explorer.exe 106 PID 2440 wrote to memory of 2580 2440 explorer.exe 107 PID 2440 wrote to memory of 2580 2440 explorer.exe 107 PID 2440 wrote to memory of 2580 2440 explorer.exe 107 PID 2440 wrote to memory of 2096 2440 explorer.exe 108 PID 2440 wrote to memory of 2096 2440 explorer.exe 108 PID 2440 wrote to memory of 2096 2440 explorer.exe 108 PID 2440 wrote to memory of 4360 2440 explorer.exe 109 PID 2440 wrote to memory of 4360 2440 explorer.exe 109 PID 2440 wrote to memory of 4360 2440 explorer.exe 109 PID 2440 wrote to memory of 3164 2440 explorer.exe 110 PID 2440 wrote to memory of 3164 2440 explorer.exe 110 PID 2440 wrote to memory of 3164 2440 explorer.exe 110 PID 2440 wrote to memory of 1732 2440 explorer.exe 111 PID 2440 wrote to memory of 1732 2440 explorer.exe 111 PID 2440 wrote to memory of 1732 2440 explorer.exe 111 PID 2440 wrote to memory of 3176 2440 explorer.exe 112 PID 2440 wrote to memory of 3176 2440 explorer.exe 112 PID 2440 wrote to memory of 3176 2440 explorer.exe 112 PID 2440 wrote to memory of 4904 2440 explorer.exe 114 PID 2440 wrote to memory of 4904 2440 explorer.exe 114 PID 2440 wrote to memory of 4904 2440 explorer.exe 114 PID 2440 wrote to memory of 4592 2440 explorer.exe 115 PID 2440 wrote to memory of 4592 2440 explorer.exe 115 PID 2440 wrote to memory of 4592 2440 explorer.exe 115 PID 2440 wrote to memory of 5004 2440 explorer.exe 116 PID 2440 wrote to memory of 5004 2440 explorer.exe 116 PID 2440 wrote to memory of 5004 2440 explorer.exe 116 PID 2440 wrote to memory of 1300 2440 explorer.exe 117 PID 2440 wrote to memory of 1300 2440 explorer.exe 117 PID 2440 wrote to memory of 1300 2440 explorer.exe 117 PID 2440 wrote to memory of 2492 2440 explorer.exe 118 PID 2440 wrote to memory of 2492 2440 explorer.exe 118 PID 2440 wrote to memory of 2492 2440 explorer.exe 118 PID 2440 wrote to memory of 3640 2440 explorer.exe 119 PID 2440 wrote to memory of 3640 2440 explorer.exe 119 PID 2440 wrote to memory of 3640 2440 explorer.exe 119 PID 2440 wrote to memory of 3876 2440 explorer.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7c7d0bd153c8d765580e2d85b8312a1_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3812 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1456
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4724 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4628
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4580
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3540 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1620 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1624
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2096 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4360 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3164 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4308
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2148 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4024
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:748 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4108 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:924
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1300 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:376
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4128 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3472 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5716
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5032
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:832 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4528 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1848 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5684
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4064
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2584 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4492 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5740
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3140
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1296 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4064 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4816
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1840 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3456 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2832
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4388
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:636
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4524 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5524
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5400
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5780
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5972
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:6136 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2692
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:852 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3584 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5988
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4348 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6048
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3412 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4612
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5936
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:3516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6068
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:6132
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1828 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4940
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5228
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5792
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3088
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5312
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5940
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2208
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5600
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:6140
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1340
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5552
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5440
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2548
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5672
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5488
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2792
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2664
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 299452
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E14C029350D74E4598356FDBB1162EAA Ref B: LON601060101062 Ref C: 2024-09-26T06:38:01Z
date: Thu, 26 Sep 2024 06:38:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418556_19ZNSNV8II35KT0LW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418556_19ZNSNV8II35KT0LW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 589124
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 915567B734A84D0490943CDA825FB66C Ref B: LON601060101062 Ref C: 2024-09-26T06:38:01Z
date: Thu, 26 Sep 2024 06:38:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418555_1KV8ALUFBH6DDF1AN&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418555_1KV8ALUFBH6DDF1AN&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 712275
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 20DE2C999D1D483589481ABF064E644A Ref B: LON601060101062 Ref C: 2024-09-26T06:38:01Z
date: Thu, 26 Sep 2024 06:38:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 550329
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9A2AB62752C54E7CB390E8F8CA3DAB47 Ref B: LON601060101062 Ref C: 2024-09-26T06:38:01Z
date: Thu, 26 Sep 2024 06:38:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 267906
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D4A43E387FB34495AD0088DED7D067A5 Ref B: LON601060101062 Ref C: 2024-09-26T06:38:01Z
date: Thu, 26 Sep 2024 06:38:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 586035
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A622BEEA3E564F358D49E476E21FA3BD Ref B: LON601060101062 Ref C: 2024-09-26T06:38:05Z
date: Thu, 26 Sep 2024 06:38:04 GMT
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http2110.2kB 3.1MB 2277 2271
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301309_1JFFGJ64L9I4K3JMP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418556_19ZNSNV8II35KT0LW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418555_1KV8ALUFBH6DDF1AN&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301718_1O49LH3F36Y9OZ53W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5710467b96c8108965591e45651609e5b
SHA1978a554aca2105c4f03a930eb5900c6b271ac6e7
SHA256329e10a5db09b77e4db5e22c794b9b78e27bc42ff83c88e613fae2f53a9f9844
SHA5123cb4195a7dc20acd6435d2c4b0f8071c1a554fc9629f833b52f2a0d282ca95aacdba4fd2dba6eab5776f35fdb85e6e1f40605bed2b736e789c9519f54ec3980b
-
Filesize
2.2MB
MD56479c6b3d19ab36a9515c48e93c3999b
SHA1b4afc303daf05199cf605e268801aad0eeb5240c
SHA2568d6c574975eef80cb8c3cf4328b0a1d42e55b087504a9af45940caa85502ba96
SHA5121e0b5d74039dbbd3c32dc1b3c51f46a5ee2d84873931015bb25dfbef045789129518e146d7ba59b0836772c78b16e338813a1128966bdc5cd7e9bf5abdbf58e7