Analysis
-
max time kernel
114s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 22:06
Behavioral task
behavioral1
Sample
002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
002d2948254e8f53154b8665530c2b5e
-
SHA1
896c3c796d4931f9214cfe9f87dbca13f3e13d4b
-
SHA256
63a4c606c0f9e0ab09e1241fa1f1e748de121e392e586ec8ae765bcc93d167e9
-
SHA512
0b146e72c95a785284bae6866bbf7fd75768d7d49903b48acd64e3e95e02e4a3c4c35357550c9b0a4a88c1fc0b6d070216e265b446fead700f975defe821fe1a
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZp:0UzeyQMS4DqodCnoe+iitjWwwd
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe -
Executes dropped EXE 60 IoCs
pid Process 2632 explorer.exe 4180 explorer.exe 2068 spoolsv.exe 1608 spoolsv.exe 512 spoolsv.exe 4860 spoolsv.exe 556 spoolsv.exe 4092 spoolsv.exe 4676 spoolsv.exe 2324 spoolsv.exe 2684 spoolsv.exe 4592 spoolsv.exe 1876 spoolsv.exe 2992 spoolsv.exe 3644 spoolsv.exe 1904 spoolsv.exe 2004 spoolsv.exe 4372 spoolsv.exe 1048 spoolsv.exe 1108 spoolsv.exe 4836 spoolsv.exe 4736 spoolsv.exe 1136 spoolsv.exe 368 spoolsv.exe 4756 spoolsv.exe 3932 spoolsv.exe 1296 explorer.exe 1316 spoolsv.exe 4732 spoolsv.exe 4016 spoolsv.exe 5276 spoolsv.exe 5348 explorer.exe 5388 spoolsv.exe 5464 spoolsv.exe 5548 spoolsv.exe 5860 spoolsv.exe 5940 spoolsv.exe 6016 spoolsv.exe 5252 spoolsv.exe 5320 explorer.exe 5404 spoolsv.exe 5588 spoolsv.exe 5716 spoolsv.exe 2404 spoolsv.exe 6056 explorer.exe 5312 spoolsv.exe 2356 spoolsv.exe 3944 spoolsv.exe 5396 spoolsv.exe 5504 spoolsv.exe 5812 spoolsv.exe 5960 explorer.exe 1668 spoolsv.exe 5296 spoolsv.exe 5128 spoolsv.exe 5356 spoolsv.exe 4908 spoolsv.exe 5508 spoolsv.exe 5616 explorer.exe 5764 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 24 IoCs
description pid Process procid_target PID 2016 set thread context of 1784 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 104 PID 2632 set thread context of 4180 2632 explorer.exe 108 PID 2068 set thread context of 3932 2068 spoolsv.exe 137 PID 1608 set thread context of 4732 1608 spoolsv.exe 140 PID 512 set thread context of 5276 512 spoolsv.exe 142 PID 4860 set thread context of 5388 4860 spoolsv.exe 144 PID 556 set thread context of 5464 556 spoolsv.exe 145 PID 4092 set thread context of 5548 4092 spoolsv.exe 146 PID 4676 set thread context of 5940 4676 spoolsv.exe 148 PID 2324 set thread context of 6016 2324 spoolsv.exe 149 PID 2684 set thread context of 5252 2684 spoolsv.exe 150 PID 4592 set thread context of 5404 4592 spoolsv.exe 152 PID 1876 set thread context of 5716 1876 spoolsv.exe 154 PID 2992 set thread context of 2404 2992 spoolsv.exe 155 PID 3644 set thread context of 2356 3644 spoolsv.exe 158 PID 1904 set thread context of 3944 1904 spoolsv.exe 159 PID 2004 set thread context of 5396 2004 spoolsv.exe 160 PID 4372 set thread context of 5504 4372 spoolsv.exe 161 PID 1048 set thread context of 5812 1048 spoolsv.exe 162 PID 1108 set thread context of 1668 1108 spoolsv.exe 164 PID 4836 set thread context of 5296 4836 spoolsv.exe 165 PID 4736 set thread context of 5356 4736 spoolsv.exe 167 PID 1136 set thread context of 4908 1136 spoolsv.exe 168 PID 368 set thread context of 5508 368 spoolsv.exe 170 -
Drops file in Windows directory 39 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1784 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 1784 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe -
Suspicious use of SetWindowsHookEx 50 IoCs
pid Process 1784 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 1784 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 4180 explorer.exe 3932 spoolsv.exe 3932 spoolsv.exe 4732 spoolsv.exe 4732 spoolsv.exe 5276 spoolsv.exe 5276 spoolsv.exe 5388 spoolsv.exe 5388 spoolsv.exe 5464 spoolsv.exe 5464 spoolsv.exe 5548 spoolsv.exe 5548 spoolsv.exe 5940 spoolsv.exe 5940 spoolsv.exe 6016 spoolsv.exe 6016 spoolsv.exe 5252 spoolsv.exe 5252 spoolsv.exe 5404 spoolsv.exe 5404 spoolsv.exe 5716 spoolsv.exe 5716 spoolsv.exe 2404 spoolsv.exe 2404 spoolsv.exe 2356 spoolsv.exe 2356 spoolsv.exe 3944 spoolsv.exe 3944 spoolsv.exe 5396 spoolsv.exe 5396 spoolsv.exe 5504 spoolsv.exe 5504 spoolsv.exe 5812 spoolsv.exe 5812 spoolsv.exe 1668 spoolsv.exe 1668 spoolsv.exe 5296 spoolsv.exe 5296 spoolsv.exe 5356 spoolsv.exe 5356 spoolsv.exe 4908 spoolsv.exe 4908 spoolsv.exe 5508 spoolsv.exe 5508 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 5000 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 85 PID 2016 wrote to memory of 5000 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 85 PID 2016 wrote to memory of 1784 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 104 PID 2016 wrote to memory of 1784 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 104 PID 2016 wrote to memory of 1784 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 104 PID 2016 wrote to memory of 1784 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 104 PID 2016 wrote to memory of 1784 2016 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 104 PID 1784 wrote to memory of 2632 1784 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 105 PID 1784 wrote to memory of 2632 1784 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 105 PID 1784 wrote to memory of 2632 1784 002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe 105 PID 2632 wrote to memory of 4180 2632 explorer.exe 108 PID 2632 wrote to memory of 4180 2632 explorer.exe 108 PID 2632 wrote to memory of 4180 2632 explorer.exe 108 PID 2632 wrote to memory of 4180 2632 explorer.exe 108 PID 2632 wrote to memory of 4180 2632 explorer.exe 108 PID 4180 wrote to memory of 2068 4180 explorer.exe 109 PID 4180 wrote to memory of 2068 4180 explorer.exe 109 PID 4180 wrote to memory of 2068 4180 explorer.exe 109 PID 4180 wrote to memory of 1608 4180 explorer.exe 110 PID 4180 wrote to memory of 1608 4180 explorer.exe 110 PID 4180 wrote to memory of 1608 4180 explorer.exe 110 PID 4180 wrote to memory of 512 4180 explorer.exe 111 PID 4180 wrote to memory of 512 4180 explorer.exe 111 PID 4180 wrote to memory of 512 4180 explorer.exe 111 PID 4180 wrote to memory of 4860 4180 explorer.exe 112 PID 4180 wrote to memory of 4860 4180 explorer.exe 112 PID 4180 wrote to memory of 4860 4180 explorer.exe 112 PID 4180 wrote to memory of 556 4180 explorer.exe 113 PID 4180 wrote to memory of 556 4180 explorer.exe 113 PID 4180 wrote to memory of 556 4180 explorer.exe 113 PID 4180 wrote to memory of 4092 4180 explorer.exe 114 PID 4180 wrote to memory of 4092 4180 explorer.exe 114 PID 4180 wrote to memory of 4092 4180 explorer.exe 114 PID 4180 wrote to memory of 4676 4180 explorer.exe 115 PID 4180 wrote to memory of 4676 4180 explorer.exe 115 PID 4180 wrote to memory of 4676 4180 explorer.exe 115 PID 4180 wrote to memory of 2324 4180 explorer.exe 116 PID 4180 wrote to memory of 2324 4180 explorer.exe 116 PID 4180 wrote to memory of 2324 4180 explorer.exe 116 PID 4180 wrote to memory of 2684 4180 explorer.exe 117 PID 4180 wrote to memory of 2684 4180 explorer.exe 117 PID 4180 wrote to memory of 2684 4180 explorer.exe 117 PID 4180 wrote to memory of 4592 4180 explorer.exe 118 PID 4180 wrote to memory of 4592 4180 explorer.exe 118 PID 4180 wrote to memory of 4592 4180 explorer.exe 118 PID 4180 wrote to memory of 1876 4180 explorer.exe 119 PID 4180 wrote to memory of 1876 4180 explorer.exe 119 PID 4180 wrote to memory of 1876 4180 explorer.exe 119 PID 4180 wrote to memory of 2992 4180 explorer.exe 120 PID 4180 wrote to memory of 2992 4180 explorer.exe 120 PID 4180 wrote to memory of 2992 4180 explorer.exe 120 PID 4180 wrote to memory of 3644 4180 explorer.exe 121 PID 4180 wrote to memory of 3644 4180 explorer.exe 121 PID 4180 wrote to memory of 3644 4180 explorer.exe 121 PID 4180 wrote to memory of 1904 4180 explorer.exe 122 PID 4180 wrote to memory of 1904 4180 explorer.exe 122 PID 4180 wrote to memory of 1904 4180 explorer.exe 122 PID 4180 wrote to memory of 2004 4180 explorer.exe 123 PID 4180 wrote to memory of 2004 4180 explorer.exe 123 PID 4180 wrote to memory of 2004 4180 explorer.exe 123 PID 4180 wrote to memory of 4372 4180 explorer.exe 125 PID 4180 wrote to memory of 4372 4180 explorer.exe 125 PID 4180 wrote to memory of 4372 4180 explorer.exe 125 PID 4180 wrote to memory of 1048 4180 explorer.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\002d2948254e8f53154b8665530c2b5e_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3932 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1296 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4480
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4732
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5276 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5348 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:6000
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5388
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5548
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5252 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5320 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4352
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5716
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2404 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6056 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3152
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3944
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5396
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4372 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5812 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5960 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5652
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4836 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5296
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5508 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
PID:5616 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4108
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5192
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5328
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4260
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4704
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5300
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3472
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4800
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3752
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4580
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5920
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3300
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2944
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5128 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2760
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5500
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:5764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5204
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4308
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5684
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4448
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6004
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:396
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3116
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:320
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4812
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3208
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5228
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5340
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5148
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2124
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5980
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1388
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6012
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5200
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1988
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5168
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3216
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4700
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5788
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2032
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5c794d509bbb84a4e1cb5a497db226710
SHA11c9190344da64e2ffba172323bd69de787b053b0
SHA25605226502f0a19babf8fa15d2da2d4cf0fd9480c3a22a3ab31472d4c0e2560ed1
SHA5120bf68db9296dee503dd533158da5802d5cf20e79f2c0cc8cf7191e9889635703ff52c9dbd7aea29ecec908d65befddfe7e00acf12d44eb1ff823f883a5060ba8
-
Filesize
2.2MB
MD57ff10625c98048ba30a0867f079d8152
SHA10ef4cbf7a1d2c5a2b3c654abc3e0c7f418fc3fac
SHA256c3fbdbc7f7cd872db13016abc16ea0ed8fd0e06003c9e72b49c0d15eeaad77fa
SHA512585ad38f1ba4af8858392190885280b1667aaa61f5e97607f894d2addfc2cd0cd5f085f634b13f2a60e105ce717375e444506f906511385c33d28aa6beda2246