ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c

Analysis

max time kernel
78s
max time network
98s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 19:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe
Size

900KB
MD5

75f6cc3b9d91fb36827052daa68ab459
SHA1

44b85c2b29c6b84fa020c9aead696e588877cb0e
SHA256

ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c
SHA512

0b962a953c5057de44af5d1d6a362408901d5505d4a71554138027adeb7a26027076259fea474e9fa8fa966a26c66f32b4585824be803f914258018da37cebab
SSDEEP

12288:6yu8gCTiJiYNadtDIC4W43ksPZE5SqG2VcV8XX7xe9DPBi3/2Kmm97Wb9cd:6yu8gCTX8aTUC5akaa5qZV8Xrg9Deb7z

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

subinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

pid	process
1884	subinacl.exe
992	subinacl.exe
1572	subinacl.exe
2024	subinacl.exe
1472	subinacl.exe
692	subinacl.exe
1936	subinacl.exe
1460	subinacl.exe
1532	subinacl.exe
1268	subinacl.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

1816 takeown.exe
1600 takeown.exe
1652 icacls.exe
896 icacls.exe

pid	process
1816	takeown.exe
1600	takeown.exe
1652	icacls.exe
896	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PrintNotify\Parameters\ServiceDll = "C:\\Windows\\system32\\spool\\DRIVERS\\W32X86\\3\\PrintConfig.dll"	regedit.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "%SystemRoot%\\System32\\spoolsv.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PrintNotify\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k print"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RpcLocator\ImagePath = "%SystemRoot%\\system32\\locator.exe"	regedit.exe

Loads dropped DLL 21 IoCs

Processes:

cmd.exeregsvr32.exe

pid	process
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
1596	regsvr32.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

1600 takeown.exe
1816 takeown.exe
1652 icacls.exe
896 icacls.exe

pid	process
1600	takeown.exe
1816	takeown.exe
1652	icacls.exe
896	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\runonce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Done = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Done.bat"	reg.exe

Drops file in System32 directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolsv.exe	cmd.exe
File created	C:\Windows\SysWOW64\spoolss.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spoolss.dll	cmd.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1644 sc.exe
1380 sc.exe
1752 sc.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1348 regedit.exe
Runs net.exe

pid	process
1644	sc.exe
1380	sc.exe
1752	sc.exe

pid	process
1348	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exesubinacl.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1600	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeSecurityPrivilege	1884	subinacl.exe
Token: SeBackupPrivilege	1884	subinacl.exe
Token: SeRestorePrivilege	1884	subinacl.exe
Token: SeRestorePrivilege	1884	subinacl.exe
Token: SeTakeOwnershipPrivilege	1884	subinacl.exe
Token: SeChangeNotifyPrivilege	1884	subinacl.exe
Token: SeDebugPrivilege	1884	subinacl.exe
Token: SeSecurityPrivilege	992	subinacl.exe
Token: SeBackupPrivilege	992	subinacl.exe
Token: SeRestorePrivilege	992	subinacl.exe
Token: SeRestorePrivilege	992	subinacl.exe
Token: SeTakeOwnershipPrivilege	992	subinacl.exe
Token: SeChangeNotifyPrivilege	992	subinacl.exe
Token: SeDebugPrivilege	992	subinacl.exe
Token: SeSecurityPrivilege	1572	subinacl.exe
Token: SeBackupPrivilege	1572	subinacl.exe
Token: SeRestorePrivilege	1572	subinacl.exe
Token: SeRestorePrivilege	1572	subinacl.exe
Token: SeTakeOwnershipPrivilege	1572	subinacl.exe
Token: SeChangeNotifyPrivilege	1572	subinacl.exe
Token: SeDebugPrivilege	1572	subinacl.exe
Token: SeSecurityPrivilege	2024	subinacl.exe
Token: SeBackupPrivilege	2024	subinacl.exe
Token: SeRestorePrivilege	2024	subinacl.exe
Token: SeRestorePrivilege	2024	subinacl.exe
Token: SeTakeOwnershipPrivilege	2024	subinacl.exe
Token: SeChangeNotifyPrivilege	2024	subinacl.exe
Token: SeDebugPrivilege	2024	subinacl.exe
Token: SeSecurityPrivilege	1472	subinacl.exe
Token: SeBackupPrivilege	1472	subinacl.exe
Token: SeRestorePrivilege	1472	subinacl.exe
Token: SeRestorePrivilege	1472	subinacl.exe
Token: SeTakeOwnershipPrivilege	1472	subinacl.exe
Token: SeChangeNotifyPrivilege	1472	subinacl.exe
Token: SeDebugPrivilege	1472	subinacl.exe
Token: SeSecurityPrivilege	692	subinacl.exe
Token: SeBackupPrivilege	692	subinacl.exe
Token: SeRestorePrivilege	692	subinacl.exe
Token: SeRestorePrivilege	692	subinacl.exe
Token: SeTakeOwnershipPrivilege	692	subinacl.exe
Token: SeChangeNotifyPrivilege	692	subinacl.exe
Token: SeDebugPrivilege	692	subinacl.exe
Token: SeSecurityPrivilege	1936	subinacl.exe
Token: SeBackupPrivilege	1936	subinacl.exe
Token: SeRestorePrivilege	1936	subinacl.exe
Token: SeRestorePrivilege	1936	subinacl.exe
Token: SeTakeOwnershipPrivilege	1936	subinacl.exe
Token: SeChangeNotifyPrivilege	1936	subinacl.exe
Token: SeDebugPrivilege	1936	subinacl.exe
Token: SeSecurityPrivilege	1460	subinacl.exe
Token: SeBackupPrivilege	1460	subinacl.exe
Token: SeRestorePrivilege	1460	subinacl.exe
Token: SeRestorePrivilege	1460	subinacl.exe
Token: SeTakeOwnershipPrivilege	1460	subinacl.exe
Token: SeChangeNotifyPrivilege	1460	subinacl.exe
Token: SeDebugPrivilege	1460	subinacl.exe
Token: SeSecurityPrivilege	1532	subinacl.exe
Token: SeBackupPrivilege	1532	subinacl.exe
Token: SeRestorePrivilege	1532	subinacl.exe
Token: SeRestorePrivilege	1532	subinacl.exe
Token: SeTakeOwnershipPrivilege	1532	subinacl.exe
Token: SeChangeNotifyPrivilege	1532	subinacl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.execmd.execmd.exenet.exe

description	pid	process	target process
PID 872 wrote to memory of 788	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 788	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 788	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 788	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1900	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1900	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1900	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1900	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 612	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 612	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 612	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 612	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 612 wrote to memory of 1512	612	cmd.exe	attrib.exe
PID 612 wrote to memory of 1512	612	cmd.exe	attrib.exe
PID 612 wrote to memory of 1512	612	cmd.exe	attrib.exe
PID 612 wrote to memory of 1512	612	cmd.exe	attrib.exe
PID 872 wrote to memory of 1232	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1232	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1232	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1232	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1364	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1364	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1364	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1364	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1348	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1348	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1348	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1348	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 852	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 852	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 852	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 852	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1744	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1744	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1744	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1744	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1752	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1752	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1752	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 1752	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 952	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 952	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 952	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 872 wrote to memory of 952	872	ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe	cmd.exe
PID 952 wrote to memory of 1968	952	cmd.exe	reg.exe
PID 952 wrote to memory of 1968	952	cmd.exe	reg.exe
PID 952 wrote to memory of 1968	952	cmd.exe	reg.exe
PID 952 wrote to memory of 1968	952	cmd.exe	reg.exe
PID 952 wrote to memory of 2012	952	cmd.exe	net.exe
PID 952 wrote to memory of 2012	952	cmd.exe	net.exe
PID 952 wrote to memory of 2012	952	cmd.exe	net.exe
PID 952 wrote to memory of 2012	952	cmd.exe	net.exe
PID 2012 wrote to memory of 636	2012	net.exe	net1.exe
PID 2012 wrote to memory of 636	2012	net.exe	net1.exe
PID 2012 wrote to memory of 636	2012	net.exe	net1.exe
PID 2012 wrote to memory of 636	2012	net.exe	net1.exe
PID 952 wrote to memory of 1600	952	cmd.exe	takeown.exe
PID 952 wrote to memory of 1600	952	cmd.exe	takeown.exe
PID 952 wrote to memory of 1600	952	cmd.exe	takeown.exe
PID 952 wrote to memory of 1600	952	cmd.exe	takeown.exe
PID 952 wrote to memory of 1816	952	cmd.exe	takeown.exe
PID 952 wrote to memory of 1816	952	cmd.exe	takeown.exe
PID 952 wrote to memory of 1816	952	cmd.exe	takeown.exe
PID 952 wrote to memory of 1816	952	cmd.exe	takeown.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1512 attrib.exe

pid	process
1512	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe
"C:\Users\Admin\AppData\Local\Temp\ec99f7ce67dce348254e52fb194ac592446e0fceff485a62a95f4ce85d92dd3c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
2⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
2⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
2⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
3⤵
- Views/modifies file attributes
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp516.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp516.bat"
2⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5299.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5299.exe"
2⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp516.bat
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\reg.exe
Reg Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /f
3⤵
PID:1968

C:\Windows\SysWOW64\net.exe
Net stop spooler
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop spooler
4⤵
PID:636

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolss.dll /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\spoolsv.exe /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolss.dll" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\spoolsv.exe" /grant administrators:f /grant administrator:f /grant users:f /grant system:f /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:896

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /subdirectories C:\Windows\System32\spool /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /setowner=Administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl.exe /file C:\Windows\System32\spool*.* /grant=administrators=f /grant=administrator=f /grant=users=f /grant=system=f
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Windows\System32\spoolss.dll
3⤵
- Loads dropped DLL
PID:1596

C:\Windows\SysWOW64\msiexec.exe
Msiexec /unregserver
3⤵
PID:1760

C:\Windows\SysWOW64\msiexec.exe
Msiexec /regserver
3⤵
PID:1376

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg
3⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Runs .reg file with regedit
PID:1348

C:\Windows\SysWOW64\sc.exe
sc config spooler depend= RPCSS
3⤵
- Launches sc.exe
PID:1380

C:\Windows\SysWOW64\sc.exe
sc config spooler type= own
3⤵
- Launches sc.exe
PID:1752

C:\Windows\SysWOW64\sc.exe
sc config spooler start= auto
3⤵
- Launches sc.exe
PID:1644

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /v Type /t REG_DWORD /d 0x00000010 /f
3⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
Subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /setowner=administrators
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler /grant=administrators=f /grant=system=f
3⤵
- Executes dropped EXE
PID:1268

C:\Windows\SysWOW64\net.exe
Net start spooler
3⤵
PID:972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start spooler
4⤵
PID:996

C:\Windows\SysWOW64\reg.exe
Reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce /v Done /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Done.bat" /f
3⤵
- Adds Run key to start application
PID:836

C:\Windows\SysWOW64\cscript.exe
cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
3⤵
PID:1688

C:\Windows\SysWOW64\shutdown.exe
Shutdown /r /f /t 10
3⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe"
2⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe"
2⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll" del "C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll"
2⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg" del "C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg"
2⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp516.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp516.bat"
2⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5299.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5299.exe"
2⤵
PID:1420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1532

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afolder\spooler_service.reg

Filesize
14KB

MD5
4a0dee6357cac5c02ceeac9a2dbe0b10

SHA1
b793bce7b5464af3b904c69df1f7f53e39b3f463

SHA256
8e26f7164963cda331406cd232ff330ed50adc36caf0b88ed6ce67e117011fa0

SHA512
fd327c69455973c554a75d86214f4b6a053bb01988effeee18fe9929042c8e38aa1416238b91f3b342470e856f955838b3887d62dd44295ec82f18b32ffabecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolss.dll

Filesize
44KB

MD5
cedb970eee0aa5088b9bde3b0f94a971

SHA1
8e6fdf3e333b4e8db05a4e6c35dd5191b013855d

SHA256
8a7de956e6e069be66d7c8f5730694e262b0d25ac987c4ca4fbf634d43f80dac

SHA512
5f80f6fb31457436c80b65c0b685d47a23b350ad55d4c86674a91b52ee1728cb8ded05403f21ce81a4ccaba9a8dad91770e2ffa19a57591cb2af27d55f7f2551

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\spoolsv.exe

Filesize
485KB

MD5
d246a6f32cd74a0ae1f00ef7c73a1dbc

SHA1
1ec9b95aedff7eb09e0c7c4c8ecde473c9609328

SHA256
771cfd6d6474de9cf0abaf2af3e800125217cc7eaea92d6d04f8274080961e5e

SHA512
4237ca05a34ed9c1e2a3a5fea48c3a1a99d10fa301ee4bb2e0045aa33cc944cf8defdeada3df98f4f84b8a96d292f16f89990da6979ee85fe9ca6d6b71fd1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
186B

MD5
96d166f9530d94e1021916fd7c6e4a6f

SHA1
c641b873029c1c48f6c177319f3a5647d1b4685d

SHA256
253c417d94f7f5838807aa4fbbf64a5b197ffb65380234cdd40c48140ff0d961

SHA512
ba87107ab97aaa27e1f2bc5ceb024316c1d271dcc001e1427ca8c99e781da367c3709f00aaedcfbfb59cd91bed9b00dfd84de2abd279955dfda974515556c5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp516.bat

Filesize
5KB

MD5
6acb560cbedb4242e481d0d2c02c3ced

SHA1
0568f73db70b350a75a4e12e6a14d4d914483099

SHA256
a82548583845366bc83bd6448ed0724d208327fde65a83be90a09774eca084f9

SHA512
c19045b50f2cabd30fbbb5e6f8cb40932834df68aa97b00da2355f9d0991a81ffb3899701f42a04a681445b1ffc01782c4f9b85cd2d88e17bfd51a87a3dc10f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5299.exe

Filesize
15B

MD5
3c52638971ead82b5929d605c1314ee0

SHA1
7318148a40faca203ac402dff51bbb04e638545c

SHA256
5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab

SHA512
46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b

Download Submit
C:\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
cedb970eee0aa5088b9bde3b0f94a971

SHA1
8e6fdf3e333b4e8db05a4e6c35dd5191b013855d

SHA256
8a7de956e6e069be66d7c8f5730694e262b0d25ac987c4ca4fbf634d43f80dac

SHA512
5f80f6fb31457436c80b65c0b685d47a23b350ad55d4c86674a91b52ee1728cb8ded05403f21ce81a4ccaba9a8dad91770e2ffa19a57591cb2af27d55f7f2551

Download Submit
C:\Windows\SysWOW64\spoolsv.exe

Filesize
485KB

MD5
d246a6f32cd74a0ae1f00ef7c73a1dbc

SHA1
1ec9b95aedff7eb09e0c7c4c8ecde473c9609328

SHA256
771cfd6d6474de9cf0abaf2af3e800125217cc7eaea92d6d04f8274080961e5e

SHA512
4237ca05a34ed9c1e2a3a5fea48c3a1a99d10fa301ee4bb2e0045aa33cc944cf8defdeada3df98f4f84b8a96d292f16f89990da6979ee85fe9ca6d6b71fd1c4e

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Users\Admin\AppData\Local\Temp\afolder\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
\Windows\SysWOW64\spoolss.dll

Filesize
44KB

MD5
cedb970eee0aa5088b9bde3b0f94a971

SHA1
8e6fdf3e333b4e8db05a4e6c35dd5191b013855d

SHA256
8a7de956e6e069be66d7c8f5730694e262b0d25ac987c4ca4fbf634d43f80dac

SHA512
5f80f6fb31457436c80b65c0b685d47a23b350ad55d4c86674a91b52ee1728cb8ded05403f21ce81a4ccaba9a8dad91770e2ffa19a57591cb2af27d55f7f2551

Download Submit
memory/612-56-0x0000000000000000-mapping.dmp

Download
memory/636-68-0x0000000000000000-mapping.dmp

Download
memory/692-101-0x0000000000000000-mapping.dmp

Download
memory/764-131-0x0000000000000000-mapping.dmp

Download
memory/788-54-0x0000000000000000-mapping.dmp

Download
memory/836-144-0x0000000000000000-mapping.dmp

Download
memory/852-61-0x0000000000000000-mapping.dmp

Download
memory/896-72-0x0000000000000000-mapping.dmp

Download
memory/952-64-0x0000000000000000-mapping.dmp

Download
memory/972-142-0x0000000000000000-mapping.dmp

Download
memory/992-81-0x0000000000000000-mapping.dmp

Download
memory/992-153-0x0000000000000000-mapping.dmp

Download
memory/996-143-0x0000000000000000-mapping.dmp

Download
memory/1124-156-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/1232-58-0x0000000000000000-mapping.dmp

Download
memory/1268-139-0x0000000000000000-mapping.dmp

Download
memory/1348-125-0x0000000000000000-mapping.dmp

Download
memory/1348-60-0x0000000000000000-mapping.dmp

Download
memory/1364-59-0x0000000000000000-mapping.dmp

Download
memory/1376-123-0x0000000000000000-mapping.dmp

Download
memory/1380-128-0x0000000000000000-mapping.dmp

Download
memory/1420-154-0x0000000000000000-mapping.dmp

Download
memory/1460-115-0x0000000000000000-mapping.dmp

Download
memory/1472-96-0x0000000000000000-mapping.dmp

Download
memory/1512-57-0x0000000000000000-mapping.dmp

Download
memory/1532-134-0x0000000000000000-mapping.dmp

Download
memory/1572-86-0x0000000000000000-mapping.dmp

Download
memory/1596-118-0x0000000000000000-mapping.dmp

Download
memory/1600-69-0x0000000000000000-mapping.dmp

Download
memory/1644-130-0x0000000000000000-mapping.dmp

Download
memory/1652-71-0x0000000000000000-mapping.dmp

Download
memory/1680-148-0x0000000000000000-mapping.dmp

Download
memory/1688-145-0x0000000000000000-mapping.dmp

Download
memory/1704-152-0x0000000000000000-mapping.dmp

Download
memory/1708-151-0x0000000000000000-mapping.dmp

Download
memory/1744-62-0x0000000000000000-mapping.dmp

Download
memory/1752-129-0x0000000000000000-mapping.dmp

Download
memory/1752-63-0x0000000000000000-mapping.dmp

Download
memory/1760-121-0x0000000000000000-mapping.dmp

Download
memory/1816-70-0x0000000000000000-mapping.dmp

Download
memory/1860-150-0x0000000000000000-mapping.dmp

Download
memory/1884-78-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1884-76-0x0000000000000000-mapping.dmp

Download
memory/1900-55-0x0000000000000000-mapping.dmp

Download
memory/1936-108-0x0000000000000000-mapping.dmp

Download
memory/1968-66-0x0000000000000000-mapping.dmp

Download
memory/1996-149-0x0000000000000000-mapping.dmp

Download
memory/2012-67-0x0000000000000000-mapping.dmp

Download
memory/2024-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads