Analysis
-
max time kernel
112s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 10:51
Behavioral task
behavioral1
Sample
a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a06492990431c2fe36f08f3c0ed27608
-
SHA1
825d96a17c67da489b28bfa4d94c54d0d9daf927
-
SHA256
76de626c5c3dff0ad104890393d15098828afd434d6363356b1b63b2fde54427
-
SHA512
0f227f120ae3a6b849a018b8e209c3747b1ad403cb72ab7354655f20d6bc9834ee8cddc65b9f08967726ed38e8f0b414439f26146475473e44454b799a062a58
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ0:0UzeyQMS4DqodCnoe+iitjWwwo
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe -
Executes dropped EXE 20 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 4036 explorer.exe 3852 explorer.exe 4928 spoolsv.exe 4256 spoolsv.exe 1568 spoolsv.exe 4632 spoolsv.exe 4140 spoolsv.exe 2160 spoolsv.exe 3848 spoolsv.exe 3708 spoolsv.exe 3272 spoolsv.exe 4968 spoolsv.exe 4696 spoolsv.exe 2932 spoolsv.exe 3896 spoolsv.exe 1744 explorer.exe 1776 spoolsv.exe 1872 spoolsv.exe 1660 explorer.exe 2912 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 652 set thread context of 4596 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe PID 4036 set thread context of 3852 4036 explorer.exe explorer.exe PID 4928 set thread context of 3896 4928 spoolsv.exe spoolsv.exe PID 4256 set thread context of 1872 4256 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 19 IoCs
Processes:
spoolsv.exea06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exea06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exeexplorer.exepid process 4596 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe 4596 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exepid process 4596 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe 4596 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3852 explorer.exe 3896 spoolsv.exe 3896 spoolsv.exe 1872 spoolsv.exe 1872 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exea06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 652 wrote to memory of 4780 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe splwow64.exe PID 652 wrote to memory of 4780 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe splwow64.exe PID 652 wrote to memory of 4596 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe PID 652 wrote to memory of 4596 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe PID 652 wrote to memory of 4596 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe PID 652 wrote to memory of 4596 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe PID 652 wrote to memory of 4596 652 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe PID 4596 wrote to memory of 4036 4596 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe explorer.exe PID 4596 wrote to memory of 4036 4596 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe explorer.exe PID 4596 wrote to memory of 4036 4596 a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe explorer.exe PID 4036 wrote to memory of 3852 4036 explorer.exe explorer.exe PID 4036 wrote to memory of 3852 4036 explorer.exe explorer.exe PID 4036 wrote to memory of 3852 4036 explorer.exe explorer.exe PID 4036 wrote to memory of 3852 4036 explorer.exe explorer.exe PID 4036 wrote to memory of 3852 4036 explorer.exe explorer.exe PID 3852 wrote to memory of 4928 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4928 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4928 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4256 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4256 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4256 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 1568 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 1568 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 1568 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4632 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4632 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4632 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4140 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4140 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4140 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 2160 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 2160 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 2160 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3848 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3848 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3848 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3708 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3708 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3708 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3272 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3272 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 3272 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4968 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4968 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4968 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4696 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4696 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 4696 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 2932 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 2932 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 2932 3852 explorer.exe spoolsv.exe PID 4928 wrote to memory of 3896 4928 spoolsv.exe spoolsv.exe PID 4928 wrote to memory of 3896 4928 spoolsv.exe spoolsv.exe PID 4928 wrote to memory of 3896 4928 spoolsv.exe spoolsv.exe PID 4928 wrote to memory of 3896 4928 spoolsv.exe spoolsv.exe PID 4928 wrote to memory of 3896 4928 spoolsv.exe spoolsv.exe PID 3896 wrote to memory of 1744 3896 spoolsv.exe explorer.exe PID 3896 wrote to memory of 1744 3896 spoolsv.exe explorer.exe PID 3896 wrote to memory of 1744 3896 spoolsv.exe explorer.exe PID 3852 wrote to memory of 1776 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 1776 3852 explorer.exe spoolsv.exe PID 3852 wrote to memory of 1776 3852 explorer.exe spoolsv.exe PID 4256 wrote to memory of 1872 4256 spoolsv.exe spoolsv.exe PID 4256 wrote to memory of 1872 4256 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a06492990431c2fe36f08f3c0ed27608_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4004
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1872 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
PID:1660 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3560
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1656
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2044
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:220
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2468
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3468
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3248
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2792
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4356
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3272 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2428
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2172
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1796
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1820
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2472
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4912
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1776 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1708
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1412
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2548
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2444
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5024
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1612
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2500
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1228
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:2952
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD59e8f99ccacb3387289e26dba30e7284e
SHA1ed55b5cab469f500db1768a3a3ff900d4e46ccc8
SHA25685a0c2a5a8c1c4d935fd31f721c953e62eef83d8052f6ec00c065c0afbf59ee9
SHA512968c1183846c3fd870e70e81f8c8b05b212326507adb428040d476138c57598f4fac533b677f436c50c57ea25c3f89df969faf85dc00574633cf6b37652515a3
-
Filesize
2.2MB
MD520d972ca997f89c4162e885a8cf389b3
SHA1b50d4b42506406998e30a6728e0e00e1bcae9d91
SHA2561631157d0e1adbd867f9fc16f029a4942af30ac00e3e54bc7c5dc3e548c243e7
SHA512de6664a93eca6efe36e9bbeaa78e87f3ca7d20f89522d1b6ea530c9bfe4929f32e8c38e253b7ea7986792004ece853c036e6ef080f3951d4a4bc0c9328835045