Analysis
-
max time kernel
108s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 12:06
Behavioral task
behavioral1
Sample
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a09c0a33fd198d53ea0485adf47745f7
-
SHA1
6454a550b9fd44e1209afa7a4806b3dbda2bd9a5
-
SHA256
ffb777fe82fee6b6e11f705379559997666f554b1523c7a9e7a08674c52c0dbc
-
SHA512
0d0ef5c181692be99e6dc48f3dac492a497369e367f6a3964099986f054ddf5446854a52f36549f41dfce4c49e71eed84e42390197ad1f65e6406a2025a97317
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWww7
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe -
Executes dropped EXE 16 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4040 explorer.exe 1976 explorer.exe 1504 spoolsv.exe 1184 spoolsv.exe 8 spoolsv.exe 1364 spoolsv.exe 2992 spoolsv.exe 3164 spoolsv.exe 3020 spoolsv.exe 2360 spoolsv.exe 1328 spoolsv.exe 408 spoolsv.exe 5064 spoolsv.exe 2284 spoolsv.exe 116 spoolsv.exe 4216 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exeexplorer.exedescription pid process target process PID 4888 set thread context of 5100 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe PID 4040 set thread context of 1976 4040 explorer.exe explorer.exe -
Drops file in Windows directory 18 IoCs
Processes:
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exea09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exeexplorer.exepid process 5100 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe 5100 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exeexplorer.exepid process 5100 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe 5100 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe 1976 explorer.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exea09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4888 wrote to memory of 3112 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe splwow64.exe PID 4888 wrote to memory of 3112 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe splwow64.exe PID 4888 wrote to memory of 5100 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe PID 4888 wrote to memory of 5100 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe PID 4888 wrote to memory of 5100 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe PID 4888 wrote to memory of 5100 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe PID 4888 wrote to memory of 5100 4888 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe PID 5100 wrote to memory of 4040 5100 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe explorer.exe PID 5100 wrote to memory of 4040 5100 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe explorer.exe PID 5100 wrote to memory of 4040 5100 a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe explorer.exe PID 4040 wrote to memory of 1976 4040 explorer.exe explorer.exe PID 4040 wrote to memory of 1976 4040 explorer.exe explorer.exe PID 4040 wrote to memory of 1976 4040 explorer.exe explorer.exe PID 4040 wrote to memory of 1976 4040 explorer.exe explorer.exe PID 4040 wrote to memory of 1976 4040 explorer.exe explorer.exe PID 1976 wrote to memory of 1504 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1504 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1504 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1184 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1184 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1184 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 8 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 8 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 8 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1364 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1364 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1364 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2992 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2992 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2992 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 3164 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 3164 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 3164 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 3020 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 3020 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 3020 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2360 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2360 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2360 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1328 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1328 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 1328 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 408 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 408 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 408 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 5064 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 5064 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 5064 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2284 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2284 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 2284 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 116 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 116 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 116 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 4216 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 4216 1976 explorer.exe spoolsv.exe PID 1976 wrote to memory of 4216 1976 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a09c0a33fd198d53ea0485adf47745f7_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2304
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2880
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4012
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4340
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:8 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3164 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1260
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2360 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4428
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4956
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4328
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4684
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3972
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3736
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1032
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1044
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1216
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5228
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2628
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1360
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5244
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1308
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5380
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5492
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2572
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4144
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3444
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3784
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3308
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4424
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5012
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4060
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5476
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:1452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD52977abe5621f6f984aa20bd3631a45b4
SHA1b3151d044c782373e9845775c960ce6fc9cbb96a
SHA2568e928b23a7d39bbbbe0c66e06d39c63727755ccf78dfbf845b96d15aee01c3ef
SHA51267577809a571e98e5362c508a3f340a66c7c64ab48ab19e01da8dc1e76909c1c721b8225fdf45781140f6bcae48894a14e9d8e0503f91b584f2bed2ecda7c768
-
Filesize
2.2MB
MD588d1fc70ce245a862bb325bcd9cd6a5c
SHA1b86cd0ae1c2738ba65cd5797f9bb51ea6831e6d6
SHA256610158ad95f99481d049d3e55138b8d2a7ee1e27f30fc66f79f76366ecd97d9a
SHA512fc55aa49895e2300cf37bc519664d89698b8f241b2dee50ae13fbaaba6bae699f20cd91ca2411fde1e8bb883760cce5959a5d922ad6f0297ae06a80e1fd8d12a