Analysis
-
max time kernel
112s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 12:29
Behavioral task
behavioral1
Sample
a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0abe7af61915fedabaa3f98e9eb520d
-
SHA1
a8d00203720741cd418470ee621d8d697148ba63
-
SHA256
174e5724b54356217b5756d4ffe3b12d151770d7ade470c7d81d03c22372b7ba
-
SHA512
91e7fe48fb8e6dff98276115eb61a79c46769eda70d84d3a34eb32453bc759c1fc25cb6b9e5dc42e81895e93b0049c5fff37ebe17eaae7584e8b9419136bd5b2
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZN:0UzeyQMS4DqodCnoe+iitjWwwZ
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe -
Executes dropped EXE 25 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 4564 explorer.exe 640 explorer.exe 1708 spoolsv.exe 4896 spoolsv.exe 4704 spoolsv.exe 2172 spoolsv.exe 1572 spoolsv.exe 4464 spoolsv.exe 3488 spoolsv.exe 4204 spoolsv.exe 3616 spoolsv.exe 3032 spoolsv.exe 2340 spoolsv.exe 1772 spoolsv.exe 1916 spoolsv.exe 1892 explorer.exe 4616 spoolsv.exe 2992 spoolsv.exe 2748 explorer.exe 4492 spoolsv.exe 2756 spoolsv.exe 1816 spoolsv.exe 4300 spoolsv.exe 3944 explorer.exe 3812 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 3684 set thread context of 2228 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe PID 4564 set thread context of 640 4564 explorer.exe explorer.exe PID 1708 set thread context of 1916 1708 spoolsv.exe spoolsv.exe PID 4896 set thread context of 2992 4896 spoolsv.exe spoolsv.exe PID 4704 set thread context of 2756 4704 spoolsv.exe spoolsv.exe PID 2172 set thread context of 4300 2172 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 22 IoCs
Processes:
spoolsv.exea0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exeexplorer.exepid process 2228 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe 2228 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2228 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe 2228 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 640 explorer.exe 1916 spoolsv.exe 1916 spoolsv.exe 2992 spoolsv.exe 2992 spoolsv.exe 2756 spoolsv.exe 2756 spoolsv.exe 4300 spoolsv.exe 4300 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exea0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 3684 wrote to memory of 3352 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe splwow64.exe PID 3684 wrote to memory of 3352 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe splwow64.exe PID 3684 wrote to memory of 2228 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe PID 3684 wrote to memory of 2228 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe PID 3684 wrote to memory of 2228 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe PID 3684 wrote to memory of 2228 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe PID 3684 wrote to memory of 2228 3684 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe PID 2228 wrote to memory of 4564 2228 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe explorer.exe PID 2228 wrote to memory of 4564 2228 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe explorer.exe PID 2228 wrote to memory of 4564 2228 a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe explorer.exe PID 4564 wrote to memory of 640 4564 explorer.exe explorer.exe PID 4564 wrote to memory of 640 4564 explorer.exe explorer.exe PID 4564 wrote to memory of 640 4564 explorer.exe explorer.exe PID 4564 wrote to memory of 640 4564 explorer.exe explorer.exe PID 4564 wrote to memory of 640 4564 explorer.exe explorer.exe PID 640 wrote to memory of 1708 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1708 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1708 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4896 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4896 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4896 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4704 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4704 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4704 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 2172 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 2172 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 2172 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1572 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1572 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1572 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4464 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4464 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4464 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3488 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3488 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3488 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4204 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4204 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4204 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3616 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3616 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3616 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3032 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3032 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 3032 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 2340 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 2340 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 2340 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1772 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1772 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 1772 640 explorer.exe spoolsv.exe PID 1708 wrote to memory of 1916 1708 spoolsv.exe spoolsv.exe PID 1708 wrote to memory of 1916 1708 spoolsv.exe spoolsv.exe PID 1708 wrote to memory of 1916 1708 spoolsv.exe spoolsv.exe PID 1708 wrote to memory of 1916 1708 spoolsv.exe spoolsv.exe PID 1708 wrote to memory of 1916 1708 spoolsv.exe spoolsv.exe PID 1916 wrote to memory of 1892 1916 spoolsv.exe explorer.exe PID 1916 wrote to memory of 1892 1916 spoolsv.exe explorer.exe PID 1916 wrote to memory of 1892 1916 spoolsv.exe explorer.exe PID 640 wrote to memory of 4616 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4616 640 explorer.exe spoolsv.exe PID 640 wrote to memory of 4616 640 explorer.exe spoolsv.exe PID 4896 wrote to memory of 2992 4896 spoolsv.exe spoolsv.exe PID 4896 wrote to memory of 2992 4896 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0abe7af61915fedabaa3f98e9eb520d_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1892 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2748 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4300 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
PID:3944 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3804
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2724
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3584
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1324
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1484
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2068
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4204 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4372
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3512
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2736
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3032 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2264
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2340 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4324
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5036
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4612
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:3812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2140
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:116
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1264
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4900
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2544
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3124
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1752
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4444
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4928
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4292
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3144
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:8
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3480
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:4084
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5b1329f6045b36cfd6e28c6a5ea980ec6
SHA1200bb5a763cafef21713f48e47406f3a34305235
SHA256d846ede6692379722762d3e0e79c3f4a59341a44e2f42d89ef8f9f7f732e2b9f
SHA512a58dcbff32b69e1246a88cd10892da4dd7b855a472713fd4340b8a6446401913c7ebfa5a20e9a0e8811ad965a237356bf4036acd7f89acbdb88247f6e1392cfc
-
Filesize
2.2MB
MD5f43d566a815fd9aba57da37cd20d8c8d
SHA188b861d976bd0748b6648e24c633d42ab6283a58
SHA256151a2aceb1618ed6e3616165fcc007976a00d73e72f45322d7bf5e5959dc9008
SHA512cd9a13368a662b39d60450bc58a3c830b1f4239da43cd067958e551a10081e2a52a10850f140186721897cd435c766296d5371c352efacd7edb12b7330c69318