azorult | 47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727

Analysis

max time kernel
150s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
Size

1.9MB
MD5

b1d2c6a081a911db6157479403f6b279
SHA1

63983454fcf3e5c8d4adad7566b1048922819164
SHA256

47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727
SHA512

0c7847a5dc144a5a293d57e2aad923adbfcb48afb91374d76d1800b4868863bf18606dfdb9c0453f5d3bc20594b324c8a6f131f5c59416b7c574442b4edf80b3
SSDEEP

24576:+HZQS+B2kOVzDiaEwWWoFxUt0ChpFd0hjxx7Rr10:LgVTWWpt7pFd0DxB10

Score

10^/10

azorult evasion infostealer persistence trojan upx

Malware Config

Extracted

Family

azorult

http://23.94.253.127/sky/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 59 IoCs

pid	Process
4880	b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe
4468	icsys.icn.exe
4540	icsys.icn.exe
4044	explorer.exe
1092	explorer.exe
4964	spoolsv.exe
3024	spoolsv.exe
516	spoolsv.exe
4720	spoolsv.exe
1432	spoolsv.exe
3008	spoolsv.exe
3476	spoolsv.exe
4780	spoolsv.exe
1960	spoolsv.exe
3012	spoolsv.exe
1276	spoolsv.exe
4736	spoolsv.exe
1928	spoolsv.exe
2928	spoolsv.exe
2204	spoolsv.exe
3508	spoolsv.exe
2644	spoolsv.exe
556	spoolsv.exe
4400	spoolsv.exe
884	spoolsv.exe
4904	spoolsv.exe
5020	spoolsv.exe
2308	spoolsv.exe
4628	spoolsv.exe
1228	spoolsv.exe
3540	spoolsv.exe
4084	spoolsv.exe
2516	spoolsv.exe
1984	spoolsv.exe
3440	spoolsv.exe
4252	spoolsv.exe
2012	spoolsv.exe
3152	spoolsv.exe
3280	spoolsv.exe
2528	spoolsv.exe
4456	spoolsv.exe
2924	spoolsv.exe
3108	spoolsv.exe
3292	spoolsv.exe
2944	spoolsv.exe
1312	spoolsv.exe
3260	spoolsv.exe
4988	spoolsv.exe
3812	spoolsv.exe
2512	spoolsv.exe
3500	spoolsv.exe
2480	spoolsv.exe
3792	spoolsv.exe
4468	spoolsv.exe
5032	spoolsv.exe
4892	spoolsv.exe
2260	spoolsv.exe
1580	spoolsv.exe
2008	spoolsv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3404-0-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3404-2-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3404-6-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3404-13-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/files/0x0007000000023433-23.dat	upx
behavioral2/memory/4468-27-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4468-31-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/files/0x000900000002342f-42.dat	upx
behavioral2/memory/4468-46-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/files/0x000800000002343e-51.dat	upx
behavioral2/memory/4044-56-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4044-59-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4044-71-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/files/0x000800000002343f-77.dat	upx
behavioral2/memory/4964-78-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3024-82-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1276-93-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4964-92-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4736-96-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3024-95-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/516-98-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1928-99-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4720-101-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2204-104-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1432-103-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3008-106-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3476-108-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/556-111-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4780-110-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1960-113-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4400-114-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3012-116-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/884-117-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1276-119-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4904-120-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4736-122-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1928-124-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2928-126-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1228-129-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2204-128-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3508-131-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2644-133-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/556-135-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4400-137-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/884-139-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4904-141-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/5020-143-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2012-144-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2308-146-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4628-148-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2528-151-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1228-150-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3540-153-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4084-155-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2924-156-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2516-158-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3292-161-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/1984-160-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3440-163-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/4252-165-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/2012-167-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3260-168-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3152-170-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral2/memory/3280-172-0x0000000000400000-0x00000000005D5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe"	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe"	icsys.icn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\MiniCalc.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3404 set thread context of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 4468 set thread context of 4540	4468	icsys.icn.exe	95
PID 4044 set thread context of 1092	4044	explorer.exe	97

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4540	icsys.icn.exe
4540	icsys.icn.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
4540	icsys.icn.exe
4540	icsys.icn.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe
1092	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4192	3404	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	87
PID 4192 wrote to memory of 4880	4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	88
PID 4192 wrote to memory of 4880	4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	88
PID 4192 wrote to memory of 4880	4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	88
PID 4192 wrote to memory of 4468	4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	94
PID 4192 wrote to memory of 4468	4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	94
PID 4192 wrote to memory of 4468	4192	b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe	94
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4468 wrote to memory of 4540	4468	icsys.icn.exe	95
PID 4540 wrote to memory of 4044	4540	icsys.icn.exe	96
PID 4540 wrote to memory of 4044	4540	icsys.icn.exe	96
PID 4540 wrote to memory of 4044	4540	icsys.icn.exe	96
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 4044 wrote to memory of 1092	4044	explorer.exe	97
PID 1092 wrote to memory of 4964	1092	explorer.exe	98
PID 1092 wrote to memory of 4964	1092	explorer.exe	98
PID 1092 wrote to memory of 4964	1092	explorer.exe	98
PID 1092 wrote to memory of 3024	1092	explorer.exe	99
PID 1092 wrote to memory of 3024	1092	explorer.exe	99
PID 1092 wrote to memory of 3024	1092	explorer.exe	99
PID 1092 wrote to memory of 516	1092	explorer.exe	100
PID 1092 wrote to memory of 516	1092	explorer.exe	100
PID 1092 wrote to memory of 516	1092	explorer.exe	100
PID 1092 wrote to memory of 4720	1092	explorer.exe	101
PID 1092 wrote to memory of 4720	1092	explorer.exe	101
PID 1092 wrote to memory of 4720	1092	explorer.exe	101
PID 1092 wrote to memory of 1432	1092	explorer.exe	102
PID 1092 wrote to memory of 1432	1092	explorer.exe	102
PID 1092 wrote to memory of 1432	1092	explorer.exe	102
PID 1092 wrote to memory of 3008	1092	explorer.exe	103
PID 1092 wrote to memory of 3008	1092	explorer.exe	103
PID 1092 wrote to memory of 3008	1092	explorer.exe	103
PID 1092 wrote to memory of 3476	1092	explorer.exe	104
PID 1092 wrote to memory of 3476	1092	explorer.exe	104
PID 1092 wrote to memory of 3476	1092	explorer.exe	104
PID 1092 wrote to memory of 4780	1092	explorer.exe	105
PID 1092 wrote to memory of 4780	1092	explorer.exe	105
PID 1092 wrote to memory of 4780	1092	explorer.exe	105
PID 1092 wrote to memory of 1960	1092	explorer.exe	106
PID 1092 wrote to memory of 1960	1092	explorer.exe	106
PID 1092 wrote to memory of 1960	1092	explorer.exe	106
PID 1092 wrote to memory of 3012	1092	explorer.exe	107
PID 1092 wrote to memory of 3012	1092	explorer.exe	107
PID 1092 wrote to memory of 3012	1092	explorer.exe	107
PID 1092 wrote to memory of 1276	1092	explorer.exe	108

C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4192
- - \??\c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe
    c:\users\admin\appdata\local\temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe
    3⤵
    - Executes dropped EXE
    PID:4880
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4540
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1432
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4736
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3508
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4400
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:5020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2528
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:3792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:5032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:4892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:1580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\MiniCalc.exe

Filesize
1.9MB

MD5
b1d2c6a081a911db6157479403f6b279

SHA1
63983454fcf3e5c8d4adad7566b1048922819164

SHA256
47c778403ce04173c50f686ad986b977e9e5048f3505fd1922e93c4ddee11727

SHA512
0c7847a5dc144a5a293d57e2aad923adbfcb48afb91374d76d1800b4868863bf18606dfdb9c0453f5d3bc20594b324c8a6f131f5c59416b7c574442b4edf80b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d2c6a081a911db6157479403f6b279_jaffacakes118.exe

Filesize
112KB

MD5
24cfc52ce3106b792d93e96634372215

SHA1
875f00987bc65d4dab5f99168d622f6b40cc7c9f

SHA256
382171d2fa4d6d713846dbdaafd2a0bd6b6509f1759bb58e524fee060591f98d

SHA512
87e27fc9ebf6842ada5297efcb273bf11ef97ecfbd5823d55c056c65de28ac65bd61f58e2955a0719587c13dc0efd539074853b8ae29efd204919bb70ebb9d0e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
1.8MB

MD5
1ceb2c97afd546cfa87804f13c905b2f

SHA1
d853f522786e15133feda59f2e56a59a60fb70a4

SHA256
a11c8c2fdab3ed8c2189bad71ba22f882547fb453d58ccd674d5355475950cd4

SHA512
f388b955a4070b1544d03a3268f149f847584e5f84fde1df27ee4aaf4a34cd2443fe5c216eb9373357afca496f7c5e6d60d4a7bbc84c44cd999dd5248902d78a

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.0MB

MD5
5f5fdf97eab5cebe16dbbc3c9a7c3a0e

SHA1
2fe7798f6832abec8ed05006bfb0830d325e80b8

SHA256
1895ce021e0672d5c1a50594a6dfc03fe072551b1e9f4537c88b48e40dd4fb55

SHA512
83f7c34d5e8d2c399f1ce800d78194a99844f208b185ab65101e28426f009d72f7130ab10a292c343a1898247150ff3a3f9e27159ee51a43161631a55014028d

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.0MB

MD5
2f847a8edcbcee9448002c548b128ecc

SHA1
4833c69f6f01eac2dc3556a368b72a77a1f687b0

SHA256
3bc12689e30e9bfd7e1ffcc6c6a56d559b16b165db857de17f99c32d15a9eb18

SHA512
ae7808b9bdb4c783c6b822d4253253a9c8292af02e113b92e58b44d387c0e2748ff941e73c5c3ffe84854015f96fda62c68a25b1389eefada17c676fdbf68323

Download Submit
memory/516-98-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/556-135-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/556-111-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/884-139-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/884-117-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1092-179-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/1228-129-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1228-150-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1276-119-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1276-93-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1312-195-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1432-103-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1928-124-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1928-99-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1960-113-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1984-160-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2012-144-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2012-167-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2204-128-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2204-104-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2308-146-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2512-176-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2516-158-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2528-151-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2528-175-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2644-133-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2924-183-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2924-156-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2928-126-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2944-191-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3008-106-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3012-116-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3024-95-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3024-82-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3108-185-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3152-170-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3260-168-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3280-172-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3292-161-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3292-188-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3404-6-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3404-0-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3404-2-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3404-4-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3404-13-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3404-1-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3440-163-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3476-108-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3500-180-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3508-131-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3540-153-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3812-173-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4044-56-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4044-59-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4044-71-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4084-155-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4192-24-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/4192-10-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/4192-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-30-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/4192-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4252-165-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4400-137-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4400-114-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4456-178-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4468-31-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4468-189-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4468-27-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4468-46-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4540-47-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/4540-58-0x0000000000400000-0x000000000043E00C-memory.dmp

Filesize
248KB

Download
memory/4540-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4628-148-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4720-101-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4736-96-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4736-122-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4780-110-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4880-38-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4880-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4880-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4892-196-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4904-120-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4904-141-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4964-78-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4964-92-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/5020-143-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download