Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/04/2024, 06:41
Behavioral task
behavioral1
Sample
0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
0035b70154f2e1df4c3cda8e8fb24b8f
-
SHA1
16cc481a1fb6f88cb014474876e0854836619307
-
SHA256
a19dff42e4fada2ded22aed776b1a2742413e04faeee76c171d3ee6ef63ad787
-
SHA512
a0c8d9f3cf18a61025364adffd6f15d3e64588e4b3a768597ca237fddc44c94ce08176f4394d5a240ff3a07526a9fdd8282e2d1e2d2d4a3e3432645801634b2e
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlM:86SIROiFJiwp0xlrlM
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe -
Executes dropped EXE 11 IoCs
pid Process 300 explorer.exe 2200 explorer.exe 852 explorer.exe 1028 spoolsv.exe 1556 spoolsv.exe 1752 spoolsv.exe 2316 spoolsv.exe 2824 spoolsv.exe 1352 spoolsv.exe 1048 spoolsv.exe 608 spoolsv.exe -
Loads dropped DLL 14 IoCs
pid Process 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 852 explorer.exe 852 explorer.exe 1028 spoolsv.exe 852 explorer.exe 852 explorer.exe 1752 spoolsv.exe 852 explorer.exe 852 explorer.exe 2824 spoolsv.exe 852 explorer.exe 852 explorer.exe 1048 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 2868 set thread context of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 1280 set thread context of 1512 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 30 PID 300 set thread context of 2200 300 explorer.exe 32 PID 2200 set thread context of 852 2200 explorer.exe 35 PID 1028 set thread context of 1556 1028 spoolsv.exe 37 PID 1752 set thread context of 2316 1752 spoolsv.exe 39 PID 2824 set thread context of 1352 2824 spoolsv.exe 41 PID 1048 set thread context of 608 1048 spoolsv.exe 43 -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 852 explorer.exe 852 explorer.exe 852 explorer.exe 852 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 300 explorer.exe 852 explorer.exe 852 explorer.exe 1028 spoolsv.exe 852 explorer.exe 852 explorer.exe 1752 spoolsv.exe 2824 spoolsv.exe 1048 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 2868 wrote to memory of 1280 2868 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 28 PID 1280 wrote to memory of 772 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 29 PID 1280 wrote to memory of 772 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 29 PID 1280 wrote to memory of 772 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 29 PID 1280 wrote to memory of 772 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 29 PID 1280 wrote to memory of 1512 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 30 PID 1280 wrote to memory of 1512 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 30 PID 1280 wrote to memory of 1512 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 30 PID 1280 wrote to memory of 1512 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 30 PID 1280 wrote to memory of 1512 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 30 PID 1280 wrote to memory of 1512 1280 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 30 PID 1512 wrote to memory of 300 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 31 PID 1512 wrote to memory of 300 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 31 PID 1512 wrote to memory of 300 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 31 PID 1512 wrote to memory of 300 1512 0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe 31 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 300 wrote to memory of 2200 300 explorer.exe 32 PID 2200 wrote to memory of 852 2200 explorer.exe 35 PID 2200 wrote to memory of 852 2200 explorer.exe 35 PID 2200 wrote to memory of 852 2200 explorer.exe 35 PID 2200 wrote to memory of 852 2200 explorer.exe 35 PID 2200 wrote to memory of 852 2200 explorer.exe 35 PID 2200 wrote to memory of 852 2200 explorer.exe 35 PID 852 wrote to memory of 1028 852 explorer.exe 36 PID 852 wrote to memory of 1028 852 explorer.exe 36 PID 852 wrote to memory of 1028 852 explorer.exe 36 PID 852 wrote to memory of 1028 852 explorer.exe 36 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37 PID 1028 wrote to memory of 1556 1028 spoolsv.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0035b70154f2e1df4c3cda8e8fb24b8f_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:300 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1924
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2876
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2640
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1048 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2472
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3012
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2328
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2904
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1968
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2672
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2604
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2500
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:652
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1900
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2524
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2072
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1672
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2720
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:780
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1236
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2068
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2028
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:912
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:704
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2088
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1872
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2328
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2324
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1272
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2660
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:880
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2540
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2508
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2816
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2680
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2744
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1704
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1580
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:584
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2992
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2000
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1804
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2656
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1032
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2668
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2068
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1772
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2360
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2980
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2600
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2288
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:840
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2216
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2408
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1296
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2432
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1576
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1664
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1244
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:568
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2412
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1740
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1476
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2372
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:584
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1776
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2844
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1120
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2216
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1192
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2812
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3104
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3236
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3264
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3284
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3308
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3340
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3356
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3436
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3788
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3824
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3868
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3920
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD5bb9a430893cdb6d594507852407fd4e9
SHA18370a3bf58bd24db5a46faf8155b4b3d82990892
SHA256971fef2a170f482088dd41e46fbadff2dbc306cf7fbca6ee24c2a1d4fef7756e
SHA512cc45414317bd5fbc6fe42735baf0ae991722482e5e3f4a2f638af251d5d34555f972d3dc9e3fa651481fcbb76caaff3619ddf01c2644b1364537b72657312858
-
Filesize
2.6MB
MD5b09f9d3275986ac9d78a0a449af0837f
SHA195e2cb3e232f68150b25b89b9a95b4e61d21cb79
SHA25631f6f3d9f0c4ca1f6517ed486058e5cadcfea503da2d400235ad37d965530441
SHA512e4fd4aa13fe3559c1269cebcd77c4c63ef981c62f6c4198bb9474605313c9ac84e1762973feaf041ffa13b25f79850f3e3212581ec7b60891334216997974167