Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 21:24
Behavioral task
behavioral1
Sample
001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
001b557e9b3c5e946cdbd9ec1bee9311
-
SHA1
ac446622d8af8bfa17e565239ee81e5b9cb28fe7
-
SHA256
9be961908d3e404139a1aa7ddeed2b032866dc4e2a6e4f7c3f53901b573f2133
-
SHA512
e3950bc4d327c1ba57df85c258353a1e72b1f5d73b9d513a56ee242aaab37be7410b5d2eba8a95961c72689b0796dde347f1fa5fdb3f3fd5f3288b924f296bdd
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ8:0UzeyQMS4DqodCnoe+iitjWwwg
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 4348 explorer.exe 5112 explorer.exe 1392 spoolsv.exe 1296 spoolsv.exe 1388 spoolsv.exe 380 spoolsv.exe 784 spoolsv.exe 1676 spoolsv.exe 1436 spoolsv.exe 3680 spoolsv.exe 3816 spoolsv.exe 4312 spoolsv.exe 216 spoolsv.exe 2796 spoolsv.exe 3540 spoolsv.exe 4736 spoolsv.exe 3048 spoolsv.exe 2368 spoolsv.exe 4680 spoolsv.exe 1248 spoolsv.exe 2644 spoolsv.exe 2972 spoolsv.exe 744 spoolsv.exe 3996 spoolsv.exe 3476 spoolsv.exe 2876 spoolsv.exe 396 spoolsv.exe 4760 spoolsv.exe 4872 spoolsv.exe 5008 spoolsv.exe 1460 spoolsv.exe 4200 spoolsv.exe 2996 spoolsv.exe 2060 spoolsv.exe 5168 spoolsv.exe 5528 spoolsv.exe 5840 spoolsv.exe 5964 spoolsv.exe 6048 explorer.exe 6088 spoolsv.exe 5144 spoolsv.exe 5164 spoolsv.exe 5304 spoolsv.exe 5384 spoolsv.exe 5412 spoolsv.exe 5564 spoolsv.exe 5616 spoolsv.exe 5680 spoolsv.exe 5752 spoolsv.exe 5920 spoolsv.exe 1608 spoolsv.exe 6072 spoolsv.exe 4468 spoolsv.exe 4268 spoolsv.exe 740 spoolsv.exe 4556 spoolsv.exe 5196 spoolsv.exe 5264 spoolsv.exe 5524 spoolsv.exe 5648 spoolsv.exe 5700 spoolsv.exe 5768 spoolsv.exe 5836 spoolsv.exe 5900 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 37 IoCs
description pid Process procid_target PID 4392 set thread context of 5012 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 107 PID 4348 set thread context of 5112 4348 explorer.exe 111 PID 1392 set thread context of 5964 1392 spoolsv.exe 153 PID 1296 set thread context of 6088 1296 spoolsv.exe 155 PID 1388 set thread context of 5144 1388 spoolsv.exe 156 PID 380 set thread context of 5164 380 spoolsv.exe 157 PID 784 set thread context of 5304 784 spoolsv.exe 158 PID 1676 set thread context of 5384 1676 spoolsv.exe 159 PID 1436 set thread context of 5412 1436 spoolsv.exe 160 PID 3680 set thread context of 5564 3680 spoolsv.exe 161 PID 3816 set thread context of 5680 3816 spoolsv.exe 163 PID 4312 set thread context of 5752 4312 spoolsv.exe 164 PID 216 set thread context of 5920 216 spoolsv.exe 165 PID 2796 set thread context of 1608 2796 spoolsv.exe 166 PID 3540 set thread context of 6072 3540 spoolsv.exe 167 PID 4736 set thread context of 4468 4736 spoolsv.exe 168 PID 3048 set thread context of 4268 3048 spoolsv.exe 169 PID 2368 set thread context of 740 2368 spoolsv.exe 170 PID 4680 set thread context of 4556 4680 spoolsv.exe 171 PID 1248 set thread context of 5264 1248 spoolsv.exe 173 PID 2972 set thread context of 5524 2972 spoolsv.exe 175 PID 2644 set thread context of 5648 2644 spoolsv.exe 174 PID 744 set thread context of 5700 744 spoolsv.exe 176 PID 3996 set thread context of 5768 3996 spoolsv.exe 177 PID 3476 set thread context of 5836 3476 spoolsv.exe 178 PID 2876 set thread context of 5900 2876 spoolsv.exe 180 PID 396 set thread context of 5772 396 spoolsv.exe 181 PID 4760 set thread context of 3132 4760 spoolsv.exe 182 PID 4872 set thread context of 4768 4872 spoolsv.exe 184 PID 5008 set thread context of 2096 5008 spoolsv.exe 183 PID 4200 set thread context of 6076 4200 spoolsv.exe 186 PID 1460 set thread context of 4828 1460 spoolsv.exe 185 PID 2996 set thread context of 3848 2996 spoolsv.exe 187 PID 2060 set thread context of 4664 2060 spoolsv.exe 188 PID 5168 set thread context of 5160 5168 spoolsv.exe 189 PID 5528 set thread context of 1044 5528 spoolsv.exe 190 PID 5840 set thread context of 440 5840 spoolsv.exe 214 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5012 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 5012 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5112 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5012 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 5012 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5112 explorer.exe 5964 spoolsv.exe 5964 spoolsv.exe 6088 spoolsv.exe 6088 spoolsv.exe 5144 spoolsv.exe 5144 spoolsv.exe 5164 spoolsv.exe 5164 spoolsv.exe 5304 spoolsv.exe 5304 spoolsv.exe 5384 spoolsv.exe 5384 spoolsv.exe 5412 spoolsv.exe 5412 spoolsv.exe 5564 spoolsv.exe 5564 spoolsv.exe 5680 spoolsv.exe 5752 spoolsv.exe 5680 spoolsv.exe 5752 spoolsv.exe 5920 spoolsv.exe 5920 spoolsv.exe 1608 spoolsv.exe 1608 spoolsv.exe 6072 spoolsv.exe 6072 spoolsv.exe 4468 spoolsv.exe 4268 spoolsv.exe 4468 spoolsv.exe 4268 spoolsv.exe 740 spoolsv.exe 740 spoolsv.exe 4556 spoolsv.exe 4556 spoolsv.exe 5264 spoolsv.exe 5264 spoolsv.exe 5524 spoolsv.exe 5648 spoolsv.exe 5524 spoolsv.exe 5648 spoolsv.exe 5700 spoolsv.exe 5700 spoolsv.exe 5768 spoolsv.exe 5836 spoolsv.exe 5768 spoolsv.exe 5900 spoolsv.exe 5836 spoolsv.exe 5900 spoolsv.exe 5772 spoolsv.exe 5772 spoolsv.exe 3132 spoolsv.exe 4768 spoolsv.exe 2096 spoolsv.exe 3132 spoolsv.exe 4768 spoolsv.exe 2096 spoolsv.exe 6076 spoolsv.exe 4828 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4392 wrote to memory of 3276 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 88 PID 4392 wrote to memory of 3276 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 88 PID 4392 wrote to memory of 5012 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 107 PID 4392 wrote to memory of 5012 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 107 PID 4392 wrote to memory of 5012 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 107 PID 4392 wrote to memory of 5012 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 107 PID 4392 wrote to memory of 5012 4392 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 107 PID 5012 wrote to memory of 4348 5012 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 108 PID 5012 wrote to memory of 4348 5012 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 108 PID 5012 wrote to memory of 4348 5012 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe 108 PID 4348 wrote to memory of 5112 4348 explorer.exe 111 PID 4348 wrote to memory of 5112 4348 explorer.exe 111 PID 4348 wrote to memory of 5112 4348 explorer.exe 111 PID 4348 wrote to memory of 5112 4348 explorer.exe 111 PID 4348 wrote to memory of 5112 4348 explorer.exe 111 PID 5112 wrote to memory of 1392 5112 explorer.exe 112 PID 5112 wrote to memory of 1392 5112 explorer.exe 112 PID 5112 wrote to memory of 1392 5112 explorer.exe 112 PID 5112 wrote to memory of 1296 5112 explorer.exe 113 PID 5112 wrote to memory of 1296 5112 explorer.exe 113 PID 5112 wrote to memory of 1296 5112 explorer.exe 113 PID 5112 wrote to memory of 1388 5112 explorer.exe 114 PID 5112 wrote to memory of 1388 5112 explorer.exe 114 PID 5112 wrote to memory of 1388 5112 explorer.exe 114 PID 5112 wrote to memory of 380 5112 explorer.exe 115 PID 5112 wrote to memory of 380 5112 explorer.exe 115 PID 5112 wrote to memory of 380 5112 explorer.exe 115 PID 5112 wrote to memory of 784 5112 explorer.exe 116 PID 5112 wrote to memory of 784 5112 explorer.exe 116 PID 5112 wrote to memory of 784 5112 explorer.exe 116 PID 5112 wrote to memory of 1676 5112 explorer.exe 117 PID 5112 wrote to memory of 1676 5112 explorer.exe 117 PID 5112 wrote to memory of 1676 5112 explorer.exe 117 PID 5112 wrote to memory of 1436 5112 explorer.exe 118 PID 5112 wrote to memory of 1436 5112 explorer.exe 118 PID 5112 wrote to memory of 1436 5112 explorer.exe 118 PID 5112 wrote to memory of 3680 5112 explorer.exe 119 PID 5112 wrote to memory of 3680 5112 explorer.exe 119 PID 5112 wrote to memory of 3680 5112 explorer.exe 119 PID 5112 wrote to memory of 3816 5112 explorer.exe 120 PID 5112 wrote to memory of 3816 5112 explorer.exe 120 PID 5112 wrote to memory of 3816 5112 explorer.exe 120 PID 5112 wrote to memory of 4312 5112 explorer.exe 121 PID 5112 wrote to memory of 4312 5112 explorer.exe 121 PID 5112 wrote to memory of 4312 5112 explorer.exe 121 PID 5112 wrote to memory of 216 5112 explorer.exe 122 PID 5112 wrote to memory of 216 5112 explorer.exe 122 PID 5112 wrote to memory of 216 5112 explorer.exe 122 PID 5112 wrote to memory of 2796 5112 explorer.exe 123 PID 5112 wrote to memory of 2796 5112 explorer.exe 123 PID 5112 wrote to memory of 2796 5112 explorer.exe 123 PID 5112 wrote to memory of 3540 5112 explorer.exe 124 PID 5112 wrote to memory of 3540 5112 explorer.exe 124 PID 5112 wrote to memory of 3540 5112 explorer.exe 124 PID 5112 wrote to memory of 4736 5112 explorer.exe 125 PID 5112 wrote to memory of 4736 5112 explorer.exe 125 PID 5112 wrote to memory of 4736 5112 explorer.exe 125 PID 5112 wrote to memory of 3048 5112 explorer.exe 126 PID 5112 wrote to memory of 3048 5112 explorer.exe 126 PID 5112 wrote to memory of 3048 5112 explorer.exe 126 PID 5112 wrote to memory of 2368 5112 explorer.exe 127 PID 5112 wrote to memory of 2368 5112 explorer.exe 127 PID 5112 wrote to memory of 2368 5112 explorer.exe 127 PID 5112 wrote to memory of 4680 5112 explorer.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5964 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6048 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4992
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6088
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5144
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5164
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5412
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5564
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5680
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5752
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5920
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2796 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4268
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:740
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5264
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5648
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5524
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:744 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5700
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3996 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5768
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5836
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5772
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3132
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4872 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4768
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4828
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:6076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2996 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4664
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5160
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1044
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:440
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5708
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4328
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4192
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:6132 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2128
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:116
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:220
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5116
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4280
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1964
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2760
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5464
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1464
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4980
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1076
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2728
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5124
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5804
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3508
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4400
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5600
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5824
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2692
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5320
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4220
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2920
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4624
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4460
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4672
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1368
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5272
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5136
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1384
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2264
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4204
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:548
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5b98fc04520b42f20b679160909b18472
SHA1b425520b2221fa8a17dd3333576396c2862c54c7
SHA256239f409fc89523dca89e0557a068bc0fcb233c9f5296925510ec628c878402b1
SHA5126d07987f5023fa0a08a8c027ee1b5b602125ccb85fc0ce4bb0915a2dc1b16348347df89173fdbe99d18dca49b789db3bf6a909299b1b9ec7040ffbb94a617b81
-
Filesize
2.2MB
MD583b17abda23308eb05e211383ab1f913
SHA1dd1c74269327b5af01ac510eaea597ad7ef5ad1e
SHA25645e0031f37e437dba7eaa5ff60baae20ded4166e727c1434a950fc06b327559c
SHA512257ccec8d4e765de5fb1e927a36eba445d456e1c725847b312c496f1228e8442e66bf99fd50526b83f151488dcb34f64b01ad2df7ef6178e1a1569e848485bc1