Analysis
-
max time kernel
145s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 11:26
Behavioral task
behavioral1
Sample
00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
00a98eba7929526544687a2b62bd254b
-
SHA1
7f2ae1a38d935364c2da043b522adc8f13d8bbf7
-
SHA256
3e7fca3a9d05f4ca79ee276f4b844820a7e5b7f7c2b3237a870de8e82220cb99
-
SHA512
5daa500e75e3af9d0919a68c4c9d912d8eda15653f9bd896a420d8c638c250f81130bef0586ee6b4708d20ab55b4ee31706a13fb870ecf76d8dd3ffad7b8f012
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZa:0UzeyQMS4DqodCnoe+iitjWww2
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 536 explorer.exe 1688 explorer.exe 4828 spoolsv.exe 5032 spoolsv.exe 4980 spoolsv.exe 1732 spoolsv.exe 400 spoolsv.exe 2476 spoolsv.exe 5044 spoolsv.exe 860 spoolsv.exe 1960 spoolsv.exe 2332 spoolsv.exe 2368 spoolsv.exe 4068 spoolsv.exe 3644 spoolsv.exe 1972 spoolsv.exe 3408 spoolsv.exe 3872 spoolsv.exe 2560 spoolsv.exe 4540 spoolsv.exe 4296 spoolsv.exe 712 spoolsv.exe 1748 spoolsv.exe 4984 spoolsv.exe 4484 spoolsv.exe 3632 spoolsv.exe 4264 spoolsv.exe 4608 spoolsv.exe 1252 spoolsv.exe 1628 spoolsv.exe 4904 spoolsv.exe 2620 spoolsv.exe 1520 spoolsv.exe 1528 explorer.exe 4240 spoolsv.exe 4604 spoolsv.exe 3684 spoolsv.exe 1092 spoolsv.exe 5072 explorer.exe 4332 spoolsv.exe 3988 spoolsv.exe 4316 spoolsv.exe 3364 spoolsv.exe 1444 spoolsv.exe 3208 explorer.exe 672 spoolsv.exe 3068 spoolsv.exe 3516 spoolsv.exe 3564 spoolsv.exe 3036 spoolsv.exe 1384 spoolsv.exe 2156 explorer.exe 3148 spoolsv.exe 1708 spoolsv.exe 4760 spoolsv.exe 540 spoolsv.exe 1900 explorer.exe 664 spoolsv.exe 3508 spoolsv.exe 4972 spoolsv.exe 940 spoolsv.exe 4388 spoolsv.exe 2388 spoolsv.exe 4556 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 53 IoCs
description pid Process procid_target PID 1560 set thread context of 1432 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 88 PID 536 set thread context of 1688 536 explorer.exe 92 PID 4828 set thread context of 1520 4828 spoolsv.exe 125 PID 5032 set thread context of 4240 5032 spoolsv.exe 127 PID 4980 set thread context of 4604 4980 spoolsv.exe 128 PID 1732 set thread context of 3684 1732 spoolsv.exe 129 PID 400 set thread context of 1092 400 spoolsv.exe 130 PID 2476 set thread context of 4332 2476 spoolsv.exe 132 PID 5044 set thread context of 4316 5044 spoolsv.exe 134 PID 860 set thread context of 3364 860 spoolsv.exe 135 PID 1960 set thread context of 1444 1960 spoolsv.exe 136 PID 2332 set thread context of 672 2332 spoolsv.exe 138 PID 2368 set thread context of 3068 2368 spoolsv.exe 139 PID 4068 set thread context of 3564 4068 spoolsv.exe 141 PID 3644 set thread context of 3036 3644 spoolsv.exe 142 PID 1972 set thread context of 1384 1972 spoolsv.exe 143 PID 3408 set thread context of 1708 3408 spoolsv.exe 146 PID 3872 set thread context of 4760 3872 spoolsv.exe 147 PID 2560 set thread context of 540 2560 spoolsv.exe 148 PID 4540 set thread context of 3508 4540 spoolsv.exe 151 PID 4296 set thread context of 4972 4296 spoolsv.exe 152 PID 712 set thread context of 940 712 spoolsv.exe 153 PID 1748 set thread context of 4388 1748 spoolsv.exe 154 PID 4984 set thread context of 4556 4984 spoolsv.exe 156 PID 4484 set thread context of 456 4484 spoolsv.exe 158 PID 3632 set thread context of 4848 3632 spoolsv.exe 159 PID 4264 set thread context of 1796 4264 spoolsv.exe 160 PID 4608 set thread context of 4876 4608 spoolsv.exe 162 PID 1252 set thread context of 3012 1252 spoolsv.exe 163 PID 1628 set thread context of 4496 1628 spoolsv.exe 165 PID 4904 set thread context of 3916 4904 spoolsv.exe 167 PID 1528 set thread context of 1896 1528 explorer.exe 172 PID 2620 set thread context of 1560 2620 spoolsv.exe 173 PID 5072 set thread context of 388 5072 explorer.exe 177 PID 3988 set thread context of 3436 3988 spoolsv.exe 179 PID 3208 set thread context of 4340 3208 explorer.exe 183 PID 3516 set thread context of 2908 3516 spoolsv.exe 184 PID 2156 set thread context of 3892 2156 explorer.exe 188 PID 3148 set thread context of 5016 3148 spoolsv.exe 189 PID 1900 set thread context of 3216 1900 explorer.exe 194 PID 664 set thread context of 1868 664 spoolsv.exe 195 PID 2388 set thread context of 1052 2388 spoolsv.exe 199 PID 872 set thread context of 4312 872 explorer.exe 202 PID 1212 set thread context of 4796 1212 spoolsv.exe 204 PID 4300 set thread context of 1916 4300 explorer.exe 206 PID 2968 set thread context of 916 2968 spoolsv.exe 207 PID 1416 set thread context of 4468 1416 explorer.exe 208 PID 3828 set thread context of 952 3828 spoolsv.exe 209 PID 1596 set thread context of 4872 1596 spoolsv.exe 211 PID 4384 set thread context of 3124 4384 spoolsv.exe 213 PID 1240 set thread context of 1404 1240 spoolsv.exe 215 PID 1892 set thread context of 5088 1892 explorer.exe 216 PID 216 set thread context of 4752 216 spoolsv.exe 217 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1432 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 1432 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1688 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1432 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 1432 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1688 explorer.exe 1520 spoolsv.exe 1520 spoolsv.exe 4240 spoolsv.exe 4240 spoolsv.exe 4604 spoolsv.exe 4604 spoolsv.exe 3684 spoolsv.exe 3684 spoolsv.exe 1092 spoolsv.exe 1092 spoolsv.exe 4332 spoolsv.exe 4332 spoolsv.exe 4316 spoolsv.exe 4316 spoolsv.exe 3364 spoolsv.exe 3364 spoolsv.exe 1444 spoolsv.exe 1444 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 3068 spoolsv.exe 3068 spoolsv.exe 3564 spoolsv.exe 3564 spoolsv.exe 3036 spoolsv.exe 3036 spoolsv.exe 1384 spoolsv.exe 1384 spoolsv.exe 1708 spoolsv.exe 1708 spoolsv.exe 4760 spoolsv.exe 4760 spoolsv.exe 540 spoolsv.exe 540 spoolsv.exe 3508 spoolsv.exe 3508 spoolsv.exe 4972 spoolsv.exe 4972 spoolsv.exe 940 spoolsv.exe 940 spoolsv.exe 4388 spoolsv.exe 4388 spoolsv.exe 4556 spoolsv.exe 4556 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe 4848 spoolsv.exe 4848 spoolsv.exe 1796 spoolsv.exe 1796 spoolsv.exe 4876 spoolsv.exe 4876 spoolsv.exe 3012 spoolsv.exe 3012 spoolsv.exe 4496 spoolsv.exe 4496 spoolsv.exe 3916 spoolsv.exe 3916 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1560 wrote to memory of 3788 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 84 PID 1560 wrote to memory of 3788 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 84 PID 1560 wrote to memory of 1432 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 88 PID 1560 wrote to memory of 1432 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 88 PID 1560 wrote to memory of 1432 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 88 PID 1560 wrote to memory of 1432 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 88 PID 1560 wrote to memory of 1432 1560 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 88 PID 1432 wrote to memory of 536 1432 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 89 PID 1432 wrote to memory of 536 1432 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 89 PID 1432 wrote to memory of 536 1432 00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe 89 PID 536 wrote to memory of 1688 536 explorer.exe 92 PID 536 wrote to memory of 1688 536 explorer.exe 92 PID 536 wrote to memory of 1688 536 explorer.exe 92 PID 536 wrote to memory of 1688 536 explorer.exe 92 PID 536 wrote to memory of 1688 536 explorer.exe 92 PID 1688 wrote to memory of 4828 1688 explorer.exe 93 PID 1688 wrote to memory of 4828 1688 explorer.exe 93 PID 1688 wrote to memory of 4828 1688 explorer.exe 93 PID 1688 wrote to memory of 5032 1688 explorer.exe 94 PID 1688 wrote to memory of 5032 1688 explorer.exe 94 PID 1688 wrote to memory of 5032 1688 explorer.exe 94 PID 1688 wrote to memory of 4980 1688 explorer.exe 95 PID 1688 wrote to memory of 4980 1688 explorer.exe 95 PID 1688 wrote to memory of 4980 1688 explorer.exe 95 PID 1688 wrote to memory of 1732 1688 explorer.exe 96 PID 1688 wrote to memory of 1732 1688 explorer.exe 96 PID 1688 wrote to memory of 1732 1688 explorer.exe 96 PID 1688 wrote to memory of 400 1688 explorer.exe 97 PID 1688 wrote to memory of 400 1688 explorer.exe 97 PID 1688 wrote to memory of 400 1688 explorer.exe 97 PID 1688 wrote to memory of 2476 1688 explorer.exe 98 PID 1688 wrote to memory of 2476 1688 explorer.exe 98 PID 1688 wrote to memory of 2476 1688 explorer.exe 98 PID 1688 wrote to memory of 5044 1688 explorer.exe 99 PID 1688 wrote to memory of 5044 1688 explorer.exe 99 PID 1688 wrote to memory of 5044 1688 explorer.exe 99 PID 1688 wrote to memory of 860 1688 explorer.exe 100 PID 1688 wrote to memory of 860 1688 explorer.exe 100 PID 1688 wrote to memory of 860 1688 explorer.exe 100 PID 1688 wrote to memory of 1960 1688 explorer.exe 101 PID 1688 wrote to memory of 1960 1688 explorer.exe 101 PID 1688 wrote to memory of 1960 1688 explorer.exe 101 PID 1688 wrote to memory of 2332 1688 explorer.exe 102 PID 1688 wrote to memory of 2332 1688 explorer.exe 102 PID 1688 wrote to memory of 2332 1688 explorer.exe 102 PID 1688 wrote to memory of 2368 1688 explorer.exe 103 PID 1688 wrote to memory of 2368 1688 explorer.exe 103 PID 1688 wrote to memory of 2368 1688 explorer.exe 103 PID 1688 wrote to memory of 4068 1688 explorer.exe 105 PID 1688 wrote to memory of 4068 1688 explorer.exe 105 PID 1688 wrote to memory of 4068 1688 explorer.exe 105 PID 1688 wrote to memory of 3644 1688 explorer.exe 107 PID 1688 wrote to memory of 3644 1688 explorer.exe 107 PID 1688 wrote to memory of 3644 1688 explorer.exe 107 PID 1688 wrote to memory of 1972 1688 explorer.exe 108 PID 1688 wrote to memory of 1972 1688 explorer.exe 108 PID 1688 wrote to memory of 1972 1688 explorer.exe 108 PID 1688 wrote to memory of 3408 1688 explorer.exe 109 PID 1688 wrote to memory of 3408 1688 explorer.exe 109 PID 1688 wrote to memory of 3408 1688 explorer.exe 109 PID 1688 wrote to memory of 3872 1688 explorer.exe 110 PID 1688 wrote to memory of 3872 1688 explorer.exe 110 PID 1688 wrote to memory of 3872 1688 explorer.exe 110 PID 1688 wrote to memory of 2560 1688 explorer.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3788
-
-
C:\Users\Admin\AppData\Local\Temp\00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00a98eba7929526544687a2b62bd254b_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4828 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1528 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1896
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5032 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4604
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1092 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5072 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:388
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4316
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3364
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1444 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3208 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4340
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:672
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1384 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2156 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3892
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3872 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4760
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1900 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3216
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:712 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1748 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4388
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4556 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:872 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4312
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:456
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1252 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3012 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4300 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1916
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3916 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1416 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4468
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2620 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1560
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:1892 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5088
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3436
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1360
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:432
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2908
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3904
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5016
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4280
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1868
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4976
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1052
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3600
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4796
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:380
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:916
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3828 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:952
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4872
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3124
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5096
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1240 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4752
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4820
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1772
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1940
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1776
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2056
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3612
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1680
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2568
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2076
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4160
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2516
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2600
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4404
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3004
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4836
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4260
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5811299c50783944e073ddd8cd9776744
SHA17931828e2f098cbba8188e4128d8355656328e13
SHA256c4ca08e89a7a6365f2f74c18dd4339fd374243809f7fab08e53078f4965c5b74
SHA5125571eaa6eb5b1b3d5c03802198183e0d916457e5267a0bbfa7c2f67fc8a4ec7d84f9353e405ad6304eccc2e9794ada91ee40e44fd5a4c75a60bd3534bc55b6ea
-
Filesize
2.2MB
MD540d555fae201546bc09ada470222b349
SHA110d7f2824135b62ee241e1a9859a05a57dde3594
SHA2560158b59a656f6743b3821779ee9c325a712cdabf20765afeff12816d707e7c89
SHA512579cd779970deaa3c521864177cefd36b45e2ccc94eb14d5dad4a2205b648df5fcf1af0df7868d45b4a6e1bbc86bfc49d1dab634686aa47da45e3df87edeba8b