Analysis
-
max time kernel
113s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:58
Behavioral task
behavioral1
Sample
b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b4b14a27d45073e18e6f003f8ed9714f
-
SHA1
2ccb74e5489484070094b7bd47f247496d5b5812
-
SHA256
bc396b73219a0d05981f2d0f1ae2068af2f5718d9e26d944fc78706f87666068
-
SHA512
9e0eece11becb29a8fa9e3798963860886a6d3957cff3fa8d512863a0a05dc5fa6d840dde54f5e49068d4b873c2e9164a71207808fb0673a6222e366ec9d6911
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ5:0UzeyQMS4DqodCnoe+iitjWwwd
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe -
Executes dropped EXE 26 IoCs
pid Process 3328 explorer.exe 4216 explorer.exe 4152 spoolsv.exe 2968 spoolsv.exe 2304 spoolsv.exe 4552 spoolsv.exe 1264 spoolsv.exe 456 spoolsv.exe 3656 spoolsv.exe 1888 spoolsv.exe 2708 spoolsv.exe 2380 spoolsv.exe 3016 spoolsv.exe 1792 spoolsv.exe 2916 spoolsv.exe 4480 spoolsv.exe 4948 spoolsv.exe 2240 spoolsv.exe 4324 explorer.exe 3176 spoolsv.exe 1736 spoolsv.exe 888 explorer.exe 1940 spoolsv.exe 1348 spoolsv.exe 2792 explorer.exe 4992 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2136 set thread context of 2312 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 95 PID 3328 set thread context of 4216 3328 explorer.exe 98 PID 4152 set thread context of 2240 4152 spoolsv.exe 114 PID 2968 set thread context of 1736 2968 spoolsv.exe 117 PID 2304 set thread context of 1348 2304 spoolsv.exe 120 -
Drops file in Windows directory 24 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2312 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 2312 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2312 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 2312 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 2240 spoolsv.exe 2240 spoolsv.exe 1736 spoolsv.exe 1736 spoolsv.exe 1348 spoolsv.exe 1348 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 4820 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 91 PID 2136 wrote to memory of 4820 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 91 PID 2136 wrote to memory of 2312 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 95 PID 2136 wrote to memory of 2312 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 95 PID 2136 wrote to memory of 2312 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 95 PID 2136 wrote to memory of 2312 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 95 PID 2136 wrote to memory of 2312 2136 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 95 PID 2312 wrote to memory of 3328 2312 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 96 PID 2312 wrote to memory of 3328 2312 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 96 PID 2312 wrote to memory of 3328 2312 b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe 96 PID 3328 wrote to memory of 4216 3328 explorer.exe 98 PID 3328 wrote to memory of 4216 3328 explorer.exe 98 PID 3328 wrote to memory of 4216 3328 explorer.exe 98 PID 3328 wrote to memory of 4216 3328 explorer.exe 98 PID 3328 wrote to memory of 4216 3328 explorer.exe 98 PID 4216 wrote to memory of 4152 4216 explorer.exe 99 PID 4216 wrote to memory of 4152 4216 explorer.exe 99 PID 4216 wrote to memory of 4152 4216 explorer.exe 99 PID 4216 wrote to memory of 2968 4216 explorer.exe 100 PID 4216 wrote to memory of 2968 4216 explorer.exe 100 PID 4216 wrote to memory of 2968 4216 explorer.exe 100 PID 4216 wrote to memory of 2304 4216 explorer.exe 101 PID 4216 wrote to memory of 2304 4216 explorer.exe 101 PID 4216 wrote to memory of 2304 4216 explorer.exe 101 PID 4216 wrote to memory of 4552 4216 explorer.exe 102 PID 4216 wrote to memory of 4552 4216 explorer.exe 102 PID 4216 wrote to memory of 4552 4216 explorer.exe 102 PID 4216 wrote to memory of 1264 4216 explorer.exe 103 PID 4216 wrote to memory of 1264 4216 explorer.exe 103 PID 4216 wrote to memory of 1264 4216 explorer.exe 103 PID 4216 wrote to memory of 456 4216 explorer.exe 104 PID 4216 wrote to memory of 456 4216 explorer.exe 104 PID 4216 wrote to memory of 456 4216 explorer.exe 104 PID 4216 wrote to memory of 3656 4216 explorer.exe 105 PID 4216 wrote to memory of 3656 4216 explorer.exe 105 PID 4216 wrote to memory of 3656 4216 explorer.exe 105 PID 4216 wrote to memory of 1888 4216 explorer.exe 106 PID 4216 wrote to memory of 1888 4216 explorer.exe 106 PID 4216 wrote to memory of 1888 4216 explorer.exe 106 PID 4216 wrote to memory of 2708 4216 explorer.exe 107 PID 4216 wrote to memory of 2708 4216 explorer.exe 107 PID 4216 wrote to memory of 2708 4216 explorer.exe 107 PID 4216 wrote to memory of 2380 4216 explorer.exe 108 PID 4216 wrote to memory of 2380 4216 explorer.exe 108 PID 4216 wrote to memory of 2380 4216 explorer.exe 108 PID 4216 wrote to memory of 3016 4216 explorer.exe 109 PID 4216 wrote to memory of 3016 4216 explorer.exe 109 PID 4216 wrote to memory of 3016 4216 explorer.exe 109 PID 4216 wrote to memory of 1792 4216 explorer.exe 110 PID 4216 wrote to memory of 1792 4216 explorer.exe 110 PID 4216 wrote to memory of 1792 4216 explorer.exe 110 PID 4216 wrote to memory of 2916 4216 explorer.exe 111 PID 4216 wrote to memory of 2916 4216 explorer.exe 111 PID 4216 wrote to memory of 2916 4216 explorer.exe 111 PID 4216 wrote to memory of 4480 4216 explorer.exe 112 PID 4216 wrote to memory of 4480 4216 explorer.exe 112 PID 4216 wrote to memory of 4480 4216 explorer.exe 112 PID 4216 wrote to memory of 4948 4216 explorer.exe 113 PID 4216 wrote to memory of 4948 4216 explorer.exe 113 PID 4216 wrote to memory of 4948 4216 explorer.exe 113 PID 4152 wrote to memory of 2240 4152 spoolsv.exe 114 PID 4152 wrote to memory of 2240 4152 spoolsv.exe 114 PID 4152 wrote to memory of 2240 4152 spoolsv.exe 114 PID 4152 wrote to memory of 2240 4152 spoolsv.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b14a27d45073e18e6f003f8ed9714f_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4324 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5288
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:888 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1556
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1348 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
PID:2792 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:732
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4552 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2700
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1772
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2044
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:452
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1436
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5844
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4156
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2252
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3100
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5228
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5652
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5720
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1012
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3060
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5904
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:6128
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5984
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5976
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6120
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5388
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5468
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1564
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2268
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4948 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3352
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1876
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5256
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1864
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5832
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:564
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1980
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1952
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5168
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5592
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5452
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2328
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5780
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5316
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2772
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5700
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5404
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:3580
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5ea4e50d504ae565029895ad295eaf814
SHA1bba31fd399b513bba21ff586895c4dbebbc80588
SHA256a53e51d8eeec5acb86d67a3a7b2c9532176c32d2a2316aac7299a5b4673c48e9
SHA512512ebe6fc9605020a6561d08d5698baeb38d2af1c52e12016c70bbae97089dbceeee1e2b86cef0a23b1a7d5f470dee9f24d25888edb371c091d04f4c8ad30ebc
-
Filesize
2.2MB
MD57a2187d19c6faf52560184b9cddd0448
SHA13b814250d7cee2373eedc2e5e906c6d121e0d7a5
SHA25695b77509ec0aff8d50da3cfcebbceb5dd167604b663b304628a35be3333ce5df
SHA5127e6c2880d7f9c17e97d4992f261e1f6757606d42106b41f6093d3066e2874eeb890d0a892f6b835526d8ce2e68388203458510d5bcddffc3f778d73f33db42cb