771b17b8bd7f1a10429d713e30526135a814ee181b38210bcf72439fba3d2993

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 03:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
Size

792KB
MD5

bdd4cc3db4f1cd008d92fecc1323fb18
SHA1

0f5054ead0721a9197daef82a52120d8e58f5211
SHA256

771b17b8bd7f1a10429d713e30526135a814ee181b38210bcf72439fba3d2993
SHA512

2072e89de85b606c1a4e88b7e5177d907165d05b393be72721c3ff7eb8a228e3de773e867e3db06164118696f338c2395cc40ed87543345a9c6bffeb509fe2b4
SSDEEP

24576:C6rTTrLZt640HYTIegYgAAldoCXJK/KbhKMB:CCTPRmqAXoC80YM

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1492	spoolv.exe

Loads dropped DLL 2 IoCs

pid	Process
1036	cmd.exe
1036	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spoolv = "\"C:\\Windows\\spoolv\\spoolv.exe\""	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\spoolv\run.bat	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\mirc.ico	spoolv.exe
File created	C:\Windows\spoolv\TMP5.$$$	spoolv.exe
File opened for modification	C:\Windows\spoolv\idents.txt	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\remote.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\control.ini	spoolv.exe
File created	C:\Windows\spoolv\TMP2.$$$	spoolv.exe
File opened for modification	C:\Windows\spoolv\mirc.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\mirc.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\users.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\ccc.mrc	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\reg.reg	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\reg.reg	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\control.ini	spoolv.exe
File opened for modification	C:\Windows\spoolv\control.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\mirc.ico	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\ccc.mrc	spoolv.exe
File created	C:\Windows\spoolv\TMP3.$$$	spoolv.exe
File opened for modification	C:\Windows\spoolv\remote.ini	spoolv.exe
File created	C:\Windows\spoolv\fullnames.txt	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\run.bat	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\spoolv.exe	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\idents.txt	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\mirc.ini	spoolv.exe
File opened for modification	C:\Windows\spoolv\servers.ini	spoolv.exe
File opened for modification	C:\Windows\spoolv\spoolv.exe	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\__tmp_rar_sfx_access_check_259442251	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\aliases.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\remote.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\servers.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\servers.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\mirc.ico	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\ccc.mrc	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	\??\c:\windows\spoolv	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\TMP1.$$$	spoolv.exe
File opened for modification	C:\Windows\spoolv\aliases.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File created	C:\Windows\spoolv\control.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv\users.ini	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
File opened for modification	C:\Windows\spoolv	attrib.exe
File created	C:\Windows\spoolv\TMP4.$$$	spoolv.exe
File created	C:\Windows\spoolv\remote.ini	spoolv.exe
File created	C:\Windows\spoolv\TMP6.$$$	spoolv.exe
File opened for modification	C:\Windows\spoolv\fullnames.txt	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	spoolv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	spoolv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	spoolv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	spoolv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	spoolv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Windows\\spoolv\\spoolv.exe\""	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "svchost"	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Windows\\spoolv\\spoolv.exe\" -noconnect"	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Windows\\spoolv\\spoolv.exe\" -noconnect"	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	spoolv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	spoolv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Windows\\spoolv\\spoolv.exe\""	spoolv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "svchost"	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	spoolv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	spoolv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	spoolv.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2284	regedit.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe
1492	spoolv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1492	spoolv.exe
1492	spoolv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1036	2272	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe	30
PID 2272 wrote to memory of 1036	2272	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe	30
PID 2272 wrote to memory of 1036	2272	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe	30
PID 2272 wrote to memory of 1036	2272	bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe	30
PID 1036 wrote to memory of 2284	1036	cmd.exe	32
PID 1036 wrote to memory of 2284	1036	cmd.exe	32
PID 1036 wrote to memory of 2284	1036	cmd.exe	32
PID 1036 wrote to memory of 2284	1036	cmd.exe	32
PID 1036 wrote to memory of 1492	1036	cmd.exe	33
PID 1036 wrote to memory of 1492	1036	cmd.exe	33
PID 1036 wrote to memory of 1492	1036	cmd.exe	33
PID 1036 wrote to memory of 1492	1036	cmd.exe	33
PID 1036 wrote to memory of 2760	1036	cmd.exe	34
PID 1036 wrote to memory of 2760	1036	cmd.exe	34
PID 1036 wrote to memory of 2760	1036	cmd.exe	34
PID 1036 wrote to memory of 2760	1036	cmd.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdd4cc3db4f1cd008d92fecc1323fb18_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\spoolv\run.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\spoolv\reg.reg
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2284
- - C:\Windows\spoolv\spoolv.exe
    C:\Windows\spoolv\spoolv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1492
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +S C:\Windows\spoolv
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\spoolv\aliases.ini

Filesize
71B

MD5
9e148b91fad20422c534814cfd1f783d

SHA1
a10cdcef1e5cd0c0248dc090600ed2ae03b9279a

SHA256
c313dde0fe9c8dea102c1db4b7944c89f9e4aec672bc66a0d3d12360ed8cfdc1

SHA512
4e09ec3044d3711679b14c4876523983ae90177c6f15f0634e317a44d46ddb1adae7625c3cbe8d11650ef7b72cf8c976eb358e71f76c483196b65f314c426975

Download Submit
C:\Windows\spoolv\ccc.mrc

Filesize
9KB

MD5
4a10e3e0e7816bcabdd36f600558226e

SHA1
c0bd4c2bc0b08c4e547242cff2e943433986fba8

SHA256
40d1e0adbb667d9445c3f40e1d96e7aa41471f161ba1a685e167a83b9805c981

SHA512
7c8600077e4b0a16ebb512f94b14ddf956b449b3d339335ae30bbd5c73354de87fa5cad7f98efe41c02f62eb133f1eebdff44bd8bed24735e69a3dce55922ea2

Download Submit
C:\Windows\spoolv\control.ini

Filesize
42B

MD5
405d882eed0cab5b915aa470a265dcc5

SHA1
7adfa3476bfc1c248619f0f78da6791faa7aa360

SHA256
32680a610219e4de3cdfb104e71a9b3b1c86d3fb6c3f18328e6e161d2e3dff8b

SHA512
03a5ce9a968196c605330e8e41a8df57ff86b1b60b60b38a453c13f469bd372679ff55f325cb336cb9c43db6d15b7554c7474fcc1f7515d8e4ef748d278ee723

Download Submit
C:\Windows\spoolv\control.ini

Filesize
73B

MD5
61e3c046e47c27dd749e430bd8a306b7

SHA1
172fd968aa943beae54ae8581dce1071283ffe96

SHA256
06ea4bb23672dfe75aa9790b54828c6f0fde79ceed3d3ee93079d409ea2ceb99

SHA512
f1acea77a0d8282d9e6e424d2e0ee922a176f1c0b5b352b990b2314144f4a5d9638ca88f852d5924a5c22dfefcc4ca019b4d26ced219457e6b2868edca191472

Download Submit
C:\Windows\spoolv\fullnames.txt

Filesize
76KB

MD5
604510c63582646e03f1d2e648f8b866

SHA1
7ba3a5d68d58c003d2383b8ed02bb88a61882ff9

SHA256
99a8c4d6918c89193ac2b6e11d6dfc49dd197b6b69d020dbb7a04b36e33c9bf3

SHA512
d27b2576361eee442ec0997adf0e1a7ee1b17dbfd1ad6bc29456eb60a2a84e4fd30e81c5ad095a745a71634eff883cba8d68666a21ba49c004544ae02d6197f1

Download Submit
C:\Windows\spoolv\idents.txt

Filesize
132KB

MD5
49bf0b00c3af898ba53352670a99d9d5

SHA1
05ff339132f58fd5ded52d6caf686fb6afd34f48

SHA256
bcdac3b11b8f8238135b16e1e304ecfc75249cff67c148f800ba8c60c2c70800

SHA512
6b729a533a6b344ae6954ef57d735d802389fa6da2bc1acf972b2762078121299f85bca50c6c154db1e1afe189c5eca8d9466f8f41231f196a14370e4c416ee1

Download Submit
C:\Windows\spoolv\mirc.ico

Filesize
5KB

MD5
e09aa9787af5cc53fd7525dd6693cf10

SHA1
57445d0779a66c61741822c0a7988573efee13d7

SHA256
c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

SHA512
b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

Download Submit
C:\Windows\spoolv\mirc.ini

Filesize
3KB

MD5
58718139625136cd5babb2c16f502d03

SHA1
3576dbf11bc5f8fa551bdd37b37603e46ab8cb2f

SHA256
90ab1bbe98903baabe89254f1591ed500185347a57f16cf27113e5ac0c80045a

SHA512
fdd2bc80fa84da78599502cf558c3390c325c7c23bce4690108b5a946309935c2f9b2e50e7bcf086a1c29cc29279a9027a6fd871f35de658097c1deead4c2585

Download Submit
C:\Windows\spoolv\mirc.ini

Filesize
3KB

MD5
e6145e164281fac34205af8067696ea4

SHA1
b61559d1f89600ff1d4171bbe2715bbb4faeacf4

SHA256
308f090a1991f704c4f5d04f8da8b89682f8393a6ce9d3a1dc6740c9a6503f6b

SHA512
ad7f261f3c0fcd18f62feb257095d9be58b371e8222f40993eae5e75a94d472ab5a24a6bf4759169e5283bd9a23fdec1241b2a5225e175d69f53f15f4b77862d

Download Submit
C:\Windows\spoolv\mirc.ini

Filesize
3KB

MD5
c7b8cf94c4f20b710f8d5e9f441cede9

SHA1
414e0c45d2a9d91c424edb3c1ebd8044258c3b9a

SHA256
2f4c394dfb1b2eeae5b4ceb0e946330608f2d774145ceba100f9d61e78ae3953

SHA512
e5aedf44a8c3fc83175189967a75a8794f9b7d22efd2c14a7ce5cf284abac119ec3b71d13cc8b1edc798394ef88d211f9f7b122c11ceac74ec1163e8857b81fa

Download Submit
C:\Windows\spoolv\mirc.ini

Filesize
3KB

MD5
829558824ff0358d8270e2fa528f9409

SHA1
09909cae1ab67ac5c85dcef49e9109584d9f5422

SHA256
6025d7672b1c95befc5875da2ad5fee33477d784cdc3dbf80bbd5c0e051d1ad6

SHA512
56511c2dbfbb8985559b12d846613c8b95c3a96469a86be682c90a6510ebc3bd05d7f6d92ce4ad6f5ec5e293faf1b5f4fef037c66f8f2717800b2310196b0536

Download Submit
C:\Windows\spoolv\mirc.ini

Filesize
3KB

MD5
1a8b7132e3f88fbb22346a10e3918d4a

SHA1
4d1ed74311705fbade47482b0de4194551bf8ee6

SHA256
fd0db3afcf92f0d49303f678af0d8f19d159d89dd14f53646b075200c6e2f74d

SHA512
bec4a07eb28e4df2b730f00545d563a63bf2ed00e8b18210c7b88e2aea57f85d58b791c4158fc154119a2f0d09836ce90dffd0def4a9c1733f3b7e47f93a6a5e

Download Submit
C:\Windows\spoolv\mirc.ini

Filesize
3KB

MD5
3d43c6451e61e72f18f45189798e0e4c

SHA1
9c899ffdf249e1d46ee1fea5a2e293cff9b8f17e

SHA256
6638366c0a27072ba362e078e7c0891f3df30ba420754536c9f1249f4ffa177a

SHA512
fc415fec817bc07bd2f0b1e6f6b38076d99ce71235af70392dacbc37160a6846bd02886644e05720545d8ad54de9a69adcd54c6664f6ecd37bfad5ac2463ef32

Download Submit
C:\Windows\spoolv\reg.reg

Filesize
1KB

MD5
3aee26844ed0e98a2bc350b0bb8ed2eb

SHA1
28dc6eb9f9ba8e573370cba29049b63719beb633

SHA256
a9deb575c465fa6a28bc38e2e61088a8f16ce30a94844cccf9abd4fe17876f43

SHA512
70453a100fa5cfcaa7727308b6a2757016d90078ee583330dd0ad10eae1021a9314b0287389fad7fde817a97a62795838138aa5bc28fbf61e2fcdd2be80e2751

Download Submit
C:\Windows\spoolv\run.bat

Filesize
135B

MD5
ccb995d58bc99b34ea3fa3e97c5583e0

SHA1
d72b86500a4a02fa7ad31b7933ce714d9abbe7c1

SHA256
27948bfbbdeb54b01cd00ce467660b7a59e6019d9cd61b4e8d687829032a748f

SHA512
898492b02492d0764ebf2218e2a2dfe29bcd97213fe577b2eae3b03a7c418d91fbb5b847f76c7e606ca8c95916a5de6423d3fb0a060f32fdc9080f19ada3b4dc

Download Submit
C:\Windows\spoolv\servers.ini

Filesize
882B

MD5
0c50f397f8202d830f3102619a4baeb3

SHA1
3b90db0c8c2e2bb5504f31814a61fbaf88cef283

SHA256
f2120c3fac12eb56aea82912ca6c934525bbac642bb3a79d9147a694ad294b33

SHA512
421feab3819c1b8e5bbb381eda9d761ff2194977c60056d48a2afe8229e6a5cb1ac50cd590f5740c84ada269f4450bdc2fb7f5179a80896c5b12bfaa12651237

Download Submit
C:\Windows\spoolv\spoolv.exe

Filesize
1.7MB

MD5
b766003f431cad186bd115f5761592d1

SHA1
33cdfe6f7fa6b321f9a51cc051c32ba924164b10

SHA256
22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

SHA512
d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

Download Submit
C:\Windows\spoolv\users.ini

Filesize
67B

MD5
e2c6e41a58d2d119301fd0f86d6cd584

SHA1
3468d0db0ef6e10e1d3d42237e0a7f54a893b91f

SHA256
c8e855ef54675e37d79b4e8c6cf67396800ed809e4b95d6deb7cce971acd2d93

SHA512
c79a00db0aa1b182673917b5f28219fdba3b38d6c91c4e04bd71dd3d2b3db98529a506c3fd8dbf0a4a5760cb3c240e1aea9b4407081da591c39a43f0c5892b19

Download Submit
memory/1492-372-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-381-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-392-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-373-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-374-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-375-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-376-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-371-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-382-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-383-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-384-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-385-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-386-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1492-391-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2272-354-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads