Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 09:04
Behavioral task
behavioral1
Sample
006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
006ed1949f1e8309a2cea9cd84e812d0
-
SHA1
42cb4f0bd8f6859fd56c6d50d14cb5e10bf8a41f
-
SHA256
10d74365ffe0808c1733de8e04567b07d0b462dc5f2dd547091ce5604039a10e
-
SHA512
4aa074eae3092190b7d66ab03b55b37c4c2505eaf701f6b366334c7fd6ad7bfc4e98ef4100e1ee2d5fe98069870abbc52a6a4bed3cfca56a3ef251864371867e
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZN:0UzeyQMS4DqodCnoe+iitjWwwh
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 408 explorer.exe 5108 explorer.exe 4516 spoolsv.exe 2004 spoolsv.exe 3772 spoolsv.exe 2440 spoolsv.exe 2024 spoolsv.exe 4056 spoolsv.exe 4572 spoolsv.exe 4468 spoolsv.exe 4924 spoolsv.exe 448 spoolsv.exe 2888 spoolsv.exe 2956 spoolsv.exe 4980 spoolsv.exe 1048 spoolsv.exe 2456 spoolsv.exe 3688 spoolsv.exe 1244 spoolsv.exe 452 spoolsv.exe 2720 spoolsv.exe 1500 spoolsv.exe 5020 spoolsv.exe 548 spoolsv.exe 964 spoolsv.exe 3532 spoolsv.exe 3760 explorer.exe 3192 spoolsv.exe 4864 spoolsv.exe 4576 explorer.exe 5116 spoolsv.exe 5168 spoolsv.exe 5236 spoolsv.exe 5680 spoolsv.exe 5752 explorer.exe 5780 spoolsv.exe 5872 spoolsv.exe 5964 spoolsv.exe 5148 spoolsv.exe 5452 spoolsv.exe 5596 explorer.exe 5644 spoolsv.exe 1600 spoolsv.exe 6008 spoolsv.exe 6076 spoolsv.exe 5216 spoolsv.exe 5364 explorer.exe 5380 spoolsv.exe 4364 spoolsv.exe 5988 spoolsv.exe 6072 explorer.exe 4168 spoolsv.exe 5600 spoolsv.exe 5628 spoolsv.exe 1220 explorer.exe 5916 spoolsv.exe 4868 spoolsv.exe 5700 spoolsv.exe 1528 spoolsv.exe 6140 spoolsv.exe 5640 spoolsv.exe 2924 spoolsv.exe 5792 explorer.exe 1516 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 27 IoCs
description pid Process procid_target PID 4384 set thread context of 3400 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 101 PID 408 set thread context of 5108 408 explorer.exe 105 PID 4516 set thread context of 3532 4516 spoolsv.exe 135 PID 2004 set thread context of 4864 2004 spoolsv.exe 138 PID 3772 set thread context of 5116 3772 spoolsv.exe 140 PID 2440 set thread context of 5236 2440 spoolsv.exe 142 PID 2024 set thread context of 5680 2024 spoolsv.exe 143 PID 4056 set thread context of 5780 4056 spoolsv.exe 145 PID 4572 set thread context of 5872 4572 spoolsv.exe 146 PID 4468 set thread context of 5964 4468 spoolsv.exe 147 PID 4924 set thread context of 5452 4924 spoolsv.exe 149 PID 448 set thread context of 5644 448 spoolsv.exe 151 PID 2888 set thread context of 6008 2888 spoolsv.exe 153 PID 2956 set thread context of 6076 2956 spoolsv.exe 154 PID 4980 set thread context of 5216 4980 spoolsv.exe 155 PID 1048 set thread context of 5380 1048 spoolsv.exe 157 PID 2456 set thread context of 5988 2456 spoolsv.exe 160 PID 3688 set thread context of 5600 3688 spoolsv.exe 163 PID 1244 set thread context of 5628 1244 spoolsv.exe 164 PID 452 set thread context of 4868 452 spoolsv.exe 167 PID 2720 set thread context of 5700 2720 spoolsv.exe 168 PID 1500 set thread context of 1528 1500 spoolsv.exe 169 PID 5020 set thread context of 6140 5020 spoolsv.exe 170 PID 548 set thread context of 2924 548 spoolsv.exe 172 PID 964 set thread context of 1516 964 spoolsv.exe 174 PID 3760 set thread context of 5976 3760 explorer.exe 175 PID 3192 set thread context of 5472 3192 spoolsv.exe 178 -
Drops file in Windows directory 44 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3400 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 3400 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe -
Suspicious use of SetWindowsHookEx 56 IoCs
pid Process 3400 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 3400 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 5108 explorer.exe 3532 spoolsv.exe 3532 spoolsv.exe 4864 spoolsv.exe 4864 spoolsv.exe 5116 spoolsv.exe 5116 spoolsv.exe 5236 spoolsv.exe 5236 spoolsv.exe 5680 spoolsv.exe 5680 spoolsv.exe 5780 spoolsv.exe 5780 spoolsv.exe 5872 spoolsv.exe 5872 spoolsv.exe 5964 spoolsv.exe 5964 spoolsv.exe 5452 spoolsv.exe 5452 spoolsv.exe 5644 spoolsv.exe 5644 spoolsv.exe 6008 spoolsv.exe 6008 spoolsv.exe 6076 spoolsv.exe 6076 spoolsv.exe 5216 spoolsv.exe 5216 spoolsv.exe 5380 spoolsv.exe 5380 spoolsv.exe 5988 spoolsv.exe 5988 spoolsv.exe 5600 spoolsv.exe 5600 spoolsv.exe 5628 spoolsv.exe 5628 spoolsv.exe 4868 spoolsv.exe 4868 spoolsv.exe 5700 spoolsv.exe 5700 spoolsv.exe 1528 spoolsv.exe 1528 spoolsv.exe 6140 spoolsv.exe 6140 spoolsv.exe 2924 spoolsv.exe 2924 spoolsv.exe 1516 spoolsv.exe 1516 spoolsv.exe 5976 explorer.exe 5976 explorer.exe 5472 spoolsv.exe 5472 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4384 wrote to memory of 4452 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 86 PID 4384 wrote to memory of 4452 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 86 PID 4384 wrote to memory of 3400 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 101 PID 4384 wrote to memory of 3400 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 101 PID 4384 wrote to memory of 3400 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 101 PID 4384 wrote to memory of 3400 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 101 PID 4384 wrote to memory of 3400 4384 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 101 PID 3400 wrote to memory of 408 3400 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 102 PID 3400 wrote to memory of 408 3400 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 102 PID 3400 wrote to memory of 408 3400 006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe 102 PID 408 wrote to memory of 5108 408 explorer.exe 105 PID 408 wrote to memory of 5108 408 explorer.exe 105 PID 408 wrote to memory of 5108 408 explorer.exe 105 PID 408 wrote to memory of 5108 408 explorer.exe 105 PID 408 wrote to memory of 5108 408 explorer.exe 105 PID 5108 wrote to memory of 4516 5108 explorer.exe 106 PID 5108 wrote to memory of 4516 5108 explorer.exe 106 PID 5108 wrote to memory of 4516 5108 explorer.exe 106 PID 5108 wrote to memory of 2004 5108 explorer.exe 107 PID 5108 wrote to memory of 2004 5108 explorer.exe 107 PID 5108 wrote to memory of 2004 5108 explorer.exe 107 PID 5108 wrote to memory of 3772 5108 explorer.exe 108 PID 5108 wrote to memory of 3772 5108 explorer.exe 108 PID 5108 wrote to memory of 3772 5108 explorer.exe 108 PID 5108 wrote to memory of 2440 5108 explorer.exe 110 PID 5108 wrote to memory of 2440 5108 explorer.exe 110 PID 5108 wrote to memory of 2440 5108 explorer.exe 110 PID 5108 wrote to memory of 2024 5108 explorer.exe 111 PID 5108 wrote to memory of 2024 5108 explorer.exe 111 PID 5108 wrote to memory of 2024 5108 explorer.exe 111 PID 5108 wrote to memory of 4056 5108 explorer.exe 112 PID 5108 wrote to memory of 4056 5108 explorer.exe 112 PID 5108 wrote to memory of 4056 5108 explorer.exe 112 PID 5108 wrote to memory of 4572 5108 explorer.exe 113 PID 5108 wrote to memory of 4572 5108 explorer.exe 113 PID 5108 wrote to memory of 4572 5108 explorer.exe 113 PID 5108 wrote to memory of 4468 5108 explorer.exe 115 PID 5108 wrote to memory of 4468 5108 explorer.exe 115 PID 5108 wrote to memory of 4468 5108 explorer.exe 115 PID 5108 wrote to memory of 4924 5108 explorer.exe 116 PID 5108 wrote to memory of 4924 5108 explorer.exe 116 PID 5108 wrote to memory of 4924 5108 explorer.exe 116 PID 5108 wrote to memory of 448 5108 explorer.exe 117 PID 5108 wrote to memory of 448 5108 explorer.exe 117 PID 5108 wrote to memory of 448 5108 explorer.exe 117 PID 5108 wrote to memory of 2888 5108 explorer.exe 119 PID 5108 wrote to memory of 2888 5108 explorer.exe 119 PID 5108 wrote to memory of 2888 5108 explorer.exe 119 PID 5108 wrote to memory of 2956 5108 explorer.exe 121 PID 5108 wrote to memory of 2956 5108 explorer.exe 121 PID 5108 wrote to memory of 2956 5108 explorer.exe 121 PID 5108 wrote to memory of 4980 5108 explorer.exe 124 PID 5108 wrote to memory of 4980 5108 explorer.exe 124 PID 5108 wrote to memory of 4980 5108 explorer.exe 124 PID 5108 wrote to memory of 1048 5108 explorer.exe 125 PID 5108 wrote to memory of 1048 5108 explorer.exe 125 PID 5108 wrote to memory of 1048 5108 explorer.exe 125 PID 5108 wrote to memory of 2456 5108 explorer.exe 126 PID 5108 wrote to memory of 2456 5108 explorer.exe 126 PID 5108 wrote to memory of 2456 5108 explorer.exe 126 PID 5108 wrote to memory of 3688 5108 explorer.exe 127 PID 5108 wrote to memory of 3688 5108 explorer.exe 127 PID 5108 wrote to memory of 3688 5108 explorer.exe 127 PID 5108 wrote to memory of 1244 5108 explorer.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\006ed1949f1e8309a2cea9cd84e812d0_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3532 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3760 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:5976
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4864 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4576 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4892
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5236
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5680 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5752 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5100
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4056 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5872
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5452 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5596 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5796
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:448 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5216 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5364 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:6052
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5380
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5988 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6072 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5176
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5600
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5628 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1220 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4040
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:452 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5700
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6140
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5792 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2620
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:964 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5472 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5296
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1472
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5140
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2444
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5188
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:6064
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1600 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2324
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:6056
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5828
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1796
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4456
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5704
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5272
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3692
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3460
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2996
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5312
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3552
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6080
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4640
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5448
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:212
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3452
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5676
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5864
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5992
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4104
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5552
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5232
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5200
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5560
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5488
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4848
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1820
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5e68159e57e0079fa505969c9911b0bd4
SHA157e8c31d4e277bb4df55c7b83856fa1a02975490
SHA25621e304df13a23059bc06ef0d156e2d3075c926fe849b0c276decdb81902105f8
SHA51271cb501a8bab26e9975ee92b91aeaaafb93bc588b7b793d35d2a4713d28783aeae5b78dac44af0b7fa0b5aa2757128568d4df15954ddbe33cb052a2b3085ce65
-
Filesize
2.2MB
MD51dfbe2035128ebe32668b9baf35e020c
SHA11c2dc5af19a212e3fb205126ec4d142607841d21
SHA256a76d466506a6bfbdf22d3820a43ebbd59565bce36c03de764292d8ea5eb8186f
SHA512f862b266f2ba987919421bde56cd6632c938180705726f666c1525deb436d0a189d0b6e1c25feedff6e51a0b488ffd1b29c81ca2b7007e3a899961df1ba3e547