Analysis
-
max time kernel
71s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/04/2024, 07:04
Behavioral task
behavioral1
Sample
003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
003d9d66be09db079b38d47f3eacd8cd
-
SHA1
adfa36e219de86f0e1bbe0bdd2bda7ef25888e78
-
SHA256
594388de17de8a9cde8d81d20898d571462d1bade9478699cac3ca3e477c5638
-
SHA512
2621041bb71c4337e4d5b3915b2382fd04a553d04404e5f6c76c28f4c1d99d52d37951dea0a29b960e6a617d25a9ff6ce88dd7773283f4c5d5eb86e1870c39a3
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrls:86SIROiFJiwp0xlrls
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe -
Executes dropped EXE 36 IoCs
pid Process 2932 explorer.exe 2028 explorer.exe 1252 explorer.exe 2900 spoolsv.exe 2868 spoolsv.exe 2080 spoolsv.exe 272 spoolsv.exe 604 spoolsv.exe 1348 spoolsv.exe 2364 spoolsv.exe 980 spoolsv.exe 1040 spoolsv.exe 2308 spoolsv.exe 1460 spoolsv.exe 1900 spoolsv.exe 2568 spoolsv.exe 2572 spoolsv.exe 2428 spoolsv.exe 1792 spoolsv.exe 1408 spoolsv.exe 276 spoolsv.exe 1684 spoolsv.exe 1984 spoolsv.exe 2036 spoolsv.exe 1564 spoolsv.exe 1560 spoolsv.exe 2968 spoolsv.exe 2596 spoolsv.exe 1528 spoolsv.exe 2648 spoolsv.exe 2128 spoolsv.exe 1680 spoolsv.exe 2980 spoolsv.exe 536 spoolsv.exe 2548 spoolsv.exe 2172 spoolsv.exe -
Loads dropped DLL 52 IoCs
pid Process 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 1252 explorer.exe 1252 explorer.exe 2900 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2080 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 604 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2364 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 1040 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 1460 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2568 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2428 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 1408 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 1684 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1564 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2968 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 1528 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2128 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2980 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2548 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 20 IoCs
description pid Process procid_target PID 3000 set thread context of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 280 set thread context of 2644 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 30 PID 2932 set thread context of 2028 2932 explorer.exe 32 PID 2028 set thread context of 1252 2028 explorer.exe 35 PID 2900 set thread context of 2868 2900 spoolsv.exe 37 PID 2080 set thread context of 272 2080 spoolsv.exe 39 PID 604 set thread context of 1348 604 spoolsv.exe 41 PID 2364 set thread context of 980 2364 spoolsv.exe 43 PID 1040 set thread context of 2308 1040 spoolsv.exe 45 PID 1460 set thread context of 1900 1460 spoolsv.exe 47 PID 2568 set thread context of 2572 2568 spoolsv.exe 49 PID 2428 set thread context of 1792 2428 spoolsv.exe 51 PID 1408 set thread context of 276 1408 spoolsv.exe 53 PID 1684 set thread context of 1984 1684 spoolsv.exe 55 PID 1564 set thread context of 1560 1564 spoolsv.exe 58 PID 2968 set thread context of 2596 2968 spoolsv.exe 60 PID 1528 set thread context of 2648 1528 spoolsv.exe 62 PID 2128 set thread context of 1680 2128 spoolsv.exe 64 PID 2980 set thread context of 536 2980 spoolsv.exe 66 PID 2548 set thread context of 2172 2548 spoolsv.exe 68 -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe 1252 explorer.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 2932 explorer.exe 1252 explorer.exe 1252 explorer.exe 2900 spoolsv.exe 1252 explorer.exe 1252 explorer.exe 2080 spoolsv.exe 604 spoolsv.exe 2364 spoolsv.exe 1040 spoolsv.exe 1460 spoolsv.exe 2568 spoolsv.exe 2428 spoolsv.exe 1408 spoolsv.exe 1684 spoolsv.exe 2036 spoolsv.exe 1564 spoolsv.exe 2968 spoolsv.exe 1528 spoolsv.exe 2128 spoolsv.exe 2980 spoolsv.exe 2548 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 3000 wrote to memory of 280 3000 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 28 PID 280 wrote to memory of 2476 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 29 PID 280 wrote to memory of 2476 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 29 PID 280 wrote to memory of 2476 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 29 PID 280 wrote to memory of 2476 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 29 PID 280 wrote to memory of 2644 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 30 PID 280 wrote to memory of 2644 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 30 PID 280 wrote to memory of 2644 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 30 PID 280 wrote to memory of 2644 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 30 PID 280 wrote to memory of 2644 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 30 PID 280 wrote to memory of 2644 280 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2932 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2932 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2932 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2932 2644 003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe 31 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2932 wrote to memory of 2028 2932 explorer.exe 32 PID 2028 wrote to memory of 1252 2028 explorer.exe 35 PID 2028 wrote to memory of 1252 2028 explorer.exe 35 PID 2028 wrote to memory of 1252 2028 explorer.exe 35 PID 2028 wrote to memory of 1252 2028 explorer.exe 35 PID 2028 wrote to memory of 1252 2028 explorer.exe 35 PID 2028 wrote to memory of 1252 2028 explorer.exe 35 PID 1252 wrote to memory of 2900 1252 explorer.exe 36 PID 1252 wrote to memory of 2900 1252 explorer.exe 36 PID 1252 wrote to memory of 2900 1252 explorer.exe 36 PID 1252 wrote to memory of 2900 1252 explorer.exe 36 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37 PID 2900 wrote to memory of 2868 2900 spoolsv.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\003d9d66be09db079b38d47f3eacd8cd_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2868 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2444
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2080 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:272 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2008
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1348 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2884
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2364 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2872
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1352
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1460 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1900 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:896
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2436
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2684
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1408 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:276 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2164
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1684 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1824
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1564 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1040
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2968 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2668
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1528 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2124
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2128 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2700
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2980 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1832
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2548 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1520
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2736
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:844
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2276
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1656
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2064
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2832
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1728
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1724
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2912
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2540
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:840
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2436
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1768
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1204
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2212
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:604
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:920
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2056
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2592
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2632
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2396
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2464
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1476
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1216
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2820
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2336
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1532
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:328
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1692
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1888
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1760
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2228
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1660
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2860
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD56eecbb7da66f423e8fd336957d1cb58f
SHA17d7802c3a93f14bbea7e2c5b87237f43d1b9541d
SHA2566272ab59997417105579196322e49d96d67582b98f8f6ad139760ae0bbacbecb
SHA5126da783e2d56a2fa035c6ab69a8eec15abad4a1303d2ef69e1787827d0ca9bb564cfea19fae9573a17e136f51646a03bcd52cefaec44a53e7d942478c06c26617
-
Filesize
2.6MB
MD5ca5fd95a5396a0270ce13319e74f4d0b
SHA13870d564a7d2974c7a64e48e2815f3d49371ba44
SHA256355bfe0b7b3031ecf76bc5e3911c74d1a8cf2b7abd4c686f7baa04e1c1561172
SHA512d4147f4c0be248f1e0612355afad941324a52ad60e6d01e470ff4ee824ed9d86a0a6cfbcbbde7a8a6782d33c532dbfded90970a1d4201aa00bd2163ac350def9