Analysis
-
max time kernel
124s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 15:43
Behavioral task
behavioral1
Sample
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
-
Size
13.0MB
-
MD5
fd1a4389ae602d038236500becb9e716
-
SHA1
07391dfac902cf86854020fc1a869ba40c0a83ed
-
SHA256
e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
-
SHA512
6e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822
-
SSDEEP
196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStD:D7d9xZo7d9xZS7d9xZo7d9xZA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 9 IoCs
Processes:
resource yara_rule C:\Windows\system\explorer.exe warzonerat C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe warzonerat \Windows\system\spoolsv.exe warzonerat C:\Windows\system\spoolsv.exe warzonerat \Windows\system\spoolsv.exe warzonerat \Windows\system\spoolsv.exe warzonerat \Windows\system\spoolsv.exe warzonerat C:\Windows\system\spoolsv.exe warzonerat C:\Windows\system\spoolsv.exe warzonerat -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exepid process 1780 explorer.exe 2000 explorer.exe 1600 explorer.exe 2892 spoolsv.exe 844 spoolsv.exe 1972 spoolsv.exe -
Loads dropped DLL 7 IoCs
Processes:
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exeexplorer.exespoolsv.exepid process 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 1600 explorer.exe 1600 explorer.exe 2892 spoolsv.exe 1600 explorer.exe 1600 explorer.exe -
Processes:
resource yara_rule behavioral1/memory/2032-0-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2032-30-0x0000000000400000-0x0000000000446000-memory.dmp upx C:\Windows\system\explorer.exe upx behavioral1/memory/1780-92-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1780-134-0x0000000000400000-0x0000000000446000-memory.dmp upx C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe upx \Windows\system\spoolsv.exe upx behavioral1/memory/2892-198-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1972-240-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2656-296-0x0000000000400000-0x0000000000446000-memory.dmp upx C:\Windows\system\spoolsv.exe upx behavioral1/memory/1928-355-0x0000000000400000-0x0000000000446000-memory.dmp upx \Windows\system\spoolsv.exe upx \Windows\system\spoolsv.exe upx \Windows\system\spoolsv.exe upx C:\Windows\system\spoolsv.exe upx C:\Windows\system\spoolsv.exe upx behavioral1/memory/2668-410-0x0000000000400000-0x0000000000446000-memory.dmp upx \Windows\system\spoolsv.exe upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exeexplorer.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exefd1a4389ae602d038236500becb9e716_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 2032 set thread context of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 set thread context of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 set thread context of 572 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe diskperf.exe PID 1780 set thread context of 2000 1780 explorer.exe explorer.exe PID 2000 set thread context of 1600 2000 explorer.exe explorer.exe PID 2000 set thread context of 1828 2000 explorer.exe diskperf.exe PID 2892 set thread context of 844 2892 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exespoolsv.exefd1a4389ae602d038236500becb9e716_JaffaCakes118.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exefd1a4389ae602d038236500becb9e716_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exepid process 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 1780 explorer.exe 2892 spoolsv.exe 1600 explorer.exe 1600 explorer.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exefd1a4389ae602d038236500becb9e716_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exepid process 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe 1780 explorer.exe 1780 explorer.exe 1600 explorer.exe 1600 explorer.exe 2892 spoolsv.exe 2892 spoolsv.exe 1600 explorer.exe 1600 explorer.exe 1972 spoolsv.exe 1972 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fd1a4389ae602d038236500becb9e716_JaffaCakes118.exefd1a4389ae602d038236500becb9e716_JaffaCakes118.exefd1a4389ae602d038236500becb9e716_JaffaCakes118.exeexplorer.exedescription pid process target process PID 2032 wrote to memory of 2144 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe cmd.exe PID 2032 wrote to memory of 2144 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe cmd.exe PID 2032 wrote to memory of 2144 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe cmd.exe PID 2032 wrote to memory of 2144 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe cmd.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 2032 wrote to memory of 1164 2032 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 764 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe PID 1164 wrote to memory of 572 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe diskperf.exe PID 1164 wrote to memory of 572 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe diskperf.exe PID 1164 wrote to memory of 572 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe diskperf.exe PID 1164 wrote to memory of 572 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe diskperf.exe PID 1164 wrote to memory of 572 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe diskperf.exe PID 1164 wrote to memory of 572 1164 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe diskperf.exe PID 764 wrote to memory of 1780 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe explorer.exe PID 764 wrote to memory of 1780 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe explorer.exe PID 764 wrote to memory of 1780 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe explorer.exe PID 764 wrote to memory of 1780 764 fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe explorer.exe PID 1780 wrote to memory of 1900 1780 explorer.exe cmd.exe PID 1780 wrote to memory of 1900 1780 explorer.exe cmd.exe PID 1780 wrote to memory of 1900 1780 explorer.exe cmd.exe PID 1780 wrote to memory of 1900 1780 explorer.exe cmd.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe PID 1780 wrote to memory of 2000 1780 explorer.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"2⤵
- Drops startup file
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"5⤵
- Drops startup file
PID:1900 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2000 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2276
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵
- Executes dropped EXE
PID:844 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:1916
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:1252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:2792
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:1080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:1924
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"8⤵PID:2240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe8⤵PID:2932
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"6⤵PID:1828
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"3⤵PID:572
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.0MB
MD5fd1a4389ae602d038236500becb9e716
SHA107391dfac902cf86854020fc1a869ba40c0a83ed
SHA256e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
SHA5126e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822
-
Filesize
92B
MD513222a4bb413aaa8b92aa5b4f81d2760
SHA1268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140
-
Filesize
93B
MD58445bfa5a278e2f068300c604a78394b
SHA19fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA2565ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA5128ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822
-
Filesize
13.0MB
MD50a28678fc5256a3cc696cd7ee68e9ce6
SHA1b2a30d41a9958198178face6decebe06c708124a
SHA25686716de6c4a309f778c640c08230500f004fddf575832addb99f52330c519b06
SHA512a09ffa695591a253a38095e10cce4bbb6cf077d88cf33c3dbd16ed6f3eb2fe72f61f8fc9137b668a2053eeb7219f61d11f2cea6c99251f43f94ba5d2bfdc408d
-
Filesize
11.4MB
MD5096c2ce614a147a5c7c96baedaa50a10
SHA1560e7ccb2211276fcb2640254cb2386c7fc2fc6e
SHA256f8f72f4b558b1b8746508f8164fe3c46494bb78ea8c10cdac9ff4ce75b6cdac2
SHA51263ae893b55b25dbc2d40d23fe5f57766b984c518322d1cd2c47d64747922d7ca93b7ca8e654a1613ffca0b79e1b8d78609e400303d12dab4a3c86a5dad9ba2ed
-
Filesize
1.7MB
MD567a965e20c4f6f7875a0bd59cef3f072
SHA163b5531a8bd5c1c657ebc391f673cf8d2d2d3002
SHA256ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe
SHA5124755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c
-
Filesize
4.2MB
MD5d2beec20d78a80ad3eba9a4c33683ac0
SHA16d3b4e890631cc9fa9792315d4ad45492ec2b54d
SHA256f009e4b01923bd6b961929499abe69a0bcdf0ed840b3e84449dc32304063049e
SHA512b96e0e7faf6192002313a2af635806c581c8ea16e4ab60030a6af3b4d0aba077df559b86fbff4d46c8da316b39ffaa190ca06fc448f2153e1c5d8c340beb75e9
-
Filesize
13.0MB
MD5b96b2fcc2a91c145d5dcc419c717f51a
SHA151f68b78e818a304ffcaadf37e743713ac3b2de8
SHA25691af657ea44058f4e56a7635be9df8ccbc2bbc96ddf70ddafda87f5a936402ed
SHA5121c61524d1eac6e474dbaaef76b394499f31f5b0c867442756c29c2c0691403f8d866f52869af57b9615342ad35d5e5be51b93183a27e5c1885e6ce803594cf1c
-
Filesize
9.0MB
MD54a7bee372a85993ec48738d126983448
SHA102068f0cbbdeab13175623cfd51415b3c2bfc46c
SHA25611030f1dca04385b1c22b1178eb6bbb3b3fcf44cccd1739de8000ef1b09887ea
SHA5127c8f20f90795a2eb00c637c64d40a3fc2d5c9d9619f4ec3bd5b4f8b86b7602a6c9e79bc97a843eb32d6620c3cdcbe6ed2a85752f0dae0a9fa890f27abc245926
-
Filesize
5.5MB
MD53629a8555a44b8a9ae27032ddf110395
SHA1c997c261438c87e45575a5040972037398b0b4a5
SHA256f263d356db73f49f1e339f8d9928727bb47cf889bdb1e52ee414f3a5a4db57af
SHA5127f15d8685c9215f92dcaebc7388a0fa11bc05dfb3aacd66c1b495aa8ecef0a8c8ed8ab9df2283702044dc9ae4a775d4ed5c454a296a1e8b6d210a8c92fd0ed76
-
Filesize
5.0MB
MD5a44393f5b245e44c0c217d3f177ea7ab
SHA10f4dd280eec9cc5f0b2df50a9eb6fe8e008b6c61
SHA2566c614746e9f60716d09c9523ca7b62af021ee1f43a3042dd91b2310a8bea4ade
SHA51267a4ff0dce71247e73d57804dbbdd61ff6aa78ecd904852e0767ba934913efbe033f3af281eeb0632fa34c3df0b4e28ee14723135e2c205b04bd93a3dcd1472e
-
Filesize
576KB
MD5fcb24441fd64fe17f85a4387f8cab4da
SHA1907eae02a8da423afe25325bbb65e0e214be47a8
SHA256a7f35cae5fbc5eb5f7b944455ce0fe15b01cc42f330c1e27942aad93e0625150
SHA512563e17f0793f0b418425c42dba57197ecd924d7813109234477c6d1fcb0ccb77653f50086db7e1f0061c0a0e325f90428f2a7bb1e303e90a88e604356a9c7d93