Analysis
-
max time kernel
148s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 13:13
Behavioral task
behavioral1
Sample
00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
00d85b7fe1b0faea4cb46c391b211c34
-
SHA1
a198619d31079d495e7dc7985bef762310d12cec
-
SHA256
0d5fa47a325037afcffd5c1f16da5201a3d85e030b04b93a6863514e8fe1c0e5
-
SHA512
ee361df13738623811470674e49de7f692911c385d24b6b44b1cdba2256c94cf0f7c625b9fb9b7931b3ac03d301b51233ba1674e9e0008bc4d859b58b3a77f2c
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwz
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 5052 explorer.exe 4872 explorer.exe 2228 spoolsv.exe 1756 spoolsv.exe 4560 spoolsv.exe 880 spoolsv.exe 4352 spoolsv.exe 2064 spoolsv.exe 2016 spoolsv.exe 2608 spoolsv.exe 484 spoolsv.exe 4732 spoolsv.exe 4104 spoolsv.exe 2224 spoolsv.exe 640 spoolsv.exe 1532 spoolsv.exe 3400 spoolsv.exe 5260 spoolsv.exe 5632 spoolsv.exe 6024 spoolsv.exe 5496 spoolsv.exe 5756 spoolsv.exe 5972 spoolsv.exe 5128 spoolsv.exe 5708 spoolsv.exe 5428 spoolsv.exe 5472 spoolsv.exe 5860 spoolsv.exe 5136 spoolsv.exe 4204 spoolsv.exe 5432 spoolsv.exe 3668 spoolsv.exe 5176 spoolsv.exe 568 spoolsv.exe 5124 spoolsv.exe 540 spoolsv.exe 5492 explorer.exe 5732 spoolsv.exe 3432 spoolsv.exe 6012 spoolsv.exe 6072 spoolsv.exe 5180 spoolsv.exe 5480 spoolsv.exe 2076 spoolsv.exe 3748 spoolsv.exe 5908 spoolsv.exe 5236 spoolsv.exe 6016 spoolsv.exe 2964 spoolsv.exe 3648 spoolsv.exe 5916 spoolsv.exe 740 explorer.exe 4284 spoolsv.exe 2092 spoolsv.exe 5732 spoolsv.exe 4044 spoolsv.exe 5724 spoolsv.exe 864 spoolsv.exe 2204 spoolsv.exe 6048 spoolsv.exe 1752 spoolsv.exe 5000 spoolsv.exe 3328 explorer.exe 5272 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 61 IoCs
description pid Process procid_target PID 968 set thread context of 1744 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 101 PID 5052 set thread context of 4872 5052 explorer.exe 105 PID 2228 set thread context of 540 2228 spoolsv.exe 148 PID 1756 set thread context of 5732 1756 spoolsv.exe 150 PID 4560 set thread context of 3432 4560 spoolsv.exe 151 PID 880 set thread context of 6012 880 spoolsv.exe 152 PID 4352 set thread context of 6072 4352 spoolsv.exe 153 PID 2064 set thread context of 5180 2064 spoolsv.exe 154 PID 2016 set thread context of 5480 2016 spoolsv.exe 155 PID 484 set thread context of 3748 484 spoolsv.exe 157 PID 4732 set thread context of 5908 4732 spoolsv.exe 158 PID 4104 set thread context of 6016 4104 spoolsv.exe 160 PID 2224 set thread context of 2964 2224 spoolsv.exe 161 PID 640 set thread context of 3648 640 spoolsv.exe 162 PID 1532 set thread context of 5916 1532 spoolsv.exe 163 PID 3400 set thread context of 4284 3400 spoolsv.exe 165 PID 5260 set thread context of 2092 5260 spoolsv.exe 166 PID 5632 set thread context of 5732 5632 spoolsv.exe 167 PID 6024 set thread context of 4044 6024 spoolsv.exe 168 PID 5496 set thread context of 5724 5496 spoolsv.exe 169 PID 5756 set thread context of 864 5756 spoolsv.exe 170 PID 5972 set thread context of 2204 5972 spoolsv.exe 171 PID 5128 set thread context of 6048 5128 spoolsv.exe 172 PID 5708 set thread context of 5000 5708 spoolsv.exe 175 PID 5428 set thread context of 5272 5428 spoolsv.exe 177 PID 5472 set thread context of 3516 5472 spoolsv.exe 179 PID 5860 set thread context of 5276 5860 spoolsv.exe 182 PID 5136 set thread context of 3476 5136 spoolsv.exe 185 PID 4204 set thread context of 5180 4204 spoolsv.exe 186 PID 5432 set thread context of 528 5432 spoolsv.exe 187 PID 3668 set thread context of 3088 3668 spoolsv.exe 188 PID 5176 set thread context of 1672 5176 spoolsv.exe 191 PID 568 set thread context of 5792 568 spoolsv.exe 192 PID 5124 set thread context of 2564 5124 spoolsv.exe 210 PID 5492 set thread context of 1516 5492 explorer.exe 215 PID 5236 set thread context of 4228 5236 spoolsv.exe 219 PID 740 set thread context of 5384 740 explorer.exe 222 PID 1752 set thread context of 3520 1752 spoolsv.exe 224 PID 3328 set thread context of 2688 3328 explorer.exe 226 PID 5768 set thread context of 5620 5768 spoolsv.exe 228 PID 5228 set thread context of 5784 5228 explorer.exe 229 PID 5076 set thread context of 368 5076 spoolsv.exe 230 PID 3332 set thread context of 2672 3332 explorer.exe 233 PID 5084 set thread context of 2976 5084 spoolsv.exe 235 PID 5996 set thread context of 5028 5996 spoolsv.exe 238 PID 5636 set thread context of 1588 5636 explorer.exe 239 PID 5040 set thread context of 3224 5040 spoolsv.exe 240 PID 5656 set thread context of 544 5656 spoolsv.exe 241 PID 3184 set thread context of 224 3184 spoolsv.exe 242 PID 3612 set thread context of 4452 3612 spoolsv.exe 243 PID 6040 set thread context of 5928 6040 spoolsv.exe 244 PID 5368 set thread context of 3588 5368 spoolsv.exe 245 PID 5372 set thread context of 5588 5372 spoolsv.exe 246 PID 5400 set thread context of 5188 5400 spoolsv.exe 247 PID 6136 set thread context of 1236 6136 spoolsv.exe 248 PID 6012 set thread context of 2924 6012 spoolsv.exe 251 PID 1612 set thread context of 5312 1612 spoolsv.exe 252 PID 1704 set thread context of 2796 1704 explorer.exe 253 PID 5808 set thread context of 5976 5808 spoolsv.exe 255 PID 552 set thread context of 5720 552 spoolsv.exe 258 PID 1708 set thread context of 6032 1708 spoolsv.exe 260 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1744 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 1744 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4872 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1744 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 1744 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 540 spoolsv.exe 540 spoolsv.exe 5732 spoolsv.exe 5732 spoolsv.exe 3432 spoolsv.exe 3432 spoolsv.exe 6012 spoolsv.exe 6012 spoolsv.exe 6072 spoolsv.exe 6072 spoolsv.exe 5180 spoolsv.exe 5180 spoolsv.exe 5480 spoolsv.exe 5480 spoolsv.exe 2076 spoolsv.exe 2076 spoolsv.exe 3748 spoolsv.exe 3748 spoolsv.exe 5908 spoolsv.exe 5908 spoolsv.exe 6016 spoolsv.exe 6016 spoolsv.exe 2964 spoolsv.exe 2964 spoolsv.exe 3648 spoolsv.exe 3648 spoolsv.exe 5916 spoolsv.exe 5916 spoolsv.exe 4284 spoolsv.exe 4284 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 5732 spoolsv.exe 5732 spoolsv.exe 4044 spoolsv.exe 4044 spoolsv.exe 5724 spoolsv.exe 5724 spoolsv.exe 864 spoolsv.exe 864 spoolsv.exe 2204 spoolsv.exe 2204 spoolsv.exe 6048 spoolsv.exe 6048 spoolsv.exe 5000 spoolsv.exe 5000 spoolsv.exe 5272 spoolsv.exe 5272 spoolsv.exe 3516 spoolsv.exe 3516 spoolsv.exe 5276 spoolsv.exe 5276 spoolsv.exe 3476 spoolsv.exe 3476 spoolsv.exe 5180 spoolsv.exe 5180 spoolsv.exe 528 spoolsv.exe 528 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 968 wrote to memory of 3440 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 86 PID 968 wrote to memory of 3440 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 86 PID 968 wrote to memory of 1744 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 101 PID 968 wrote to memory of 1744 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 101 PID 968 wrote to memory of 1744 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 101 PID 968 wrote to memory of 1744 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 101 PID 968 wrote to memory of 1744 968 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 101 PID 1744 wrote to memory of 5052 1744 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 102 PID 1744 wrote to memory of 5052 1744 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 102 PID 1744 wrote to memory of 5052 1744 00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe 102 PID 5052 wrote to memory of 4872 5052 explorer.exe 105 PID 5052 wrote to memory of 4872 5052 explorer.exe 105 PID 5052 wrote to memory of 4872 5052 explorer.exe 105 PID 5052 wrote to memory of 4872 5052 explorer.exe 105 PID 5052 wrote to memory of 4872 5052 explorer.exe 105 PID 4872 wrote to memory of 2228 4872 explorer.exe 106 PID 4872 wrote to memory of 2228 4872 explorer.exe 106 PID 4872 wrote to memory of 2228 4872 explorer.exe 106 PID 4872 wrote to memory of 1756 4872 explorer.exe 107 PID 4872 wrote to memory of 1756 4872 explorer.exe 107 PID 4872 wrote to memory of 1756 4872 explorer.exe 107 PID 4872 wrote to memory of 4560 4872 explorer.exe 108 PID 4872 wrote to memory of 4560 4872 explorer.exe 108 PID 4872 wrote to memory of 4560 4872 explorer.exe 108 PID 4872 wrote to memory of 880 4872 explorer.exe 109 PID 4872 wrote to memory of 880 4872 explorer.exe 109 PID 4872 wrote to memory of 880 4872 explorer.exe 109 PID 4872 wrote to memory of 4352 4872 explorer.exe 110 PID 4872 wrote to memory of 4352 4872 explorer.exe 110 PID 4872 wrote to memory of 4352 4872 explorer.exe 110 PID 4872 wrote to memory of 2064 4872 explorer.exe 111 PID 4872 wrote to memory of 2064 4872 explorer.exe 111 PID 4872 wrote to memory of 2064 4872 explorer.exe 111 PID 4872 wrote to memory of 2016 4872 explorer.exe 112 PID 4872 wrote to memory of 2016 4872 explorer.exe 112 PID 4872 wrote to memory of 2016 4872 explorer.exe 112 PID 4872 wrote to memory of 2608 4872 explorer.exe 113 PID 4872 wrote to memory of 2608 4872 explorer.exe 113 PID 4872 wrote to memory of 2608 4872 explorer.exe 113 PID 4872 wrote to memory of 484 4872 explorer.exe 115 PID 4872 wrote to memory of 484 4872 explorer.exe 115 PID 4872 wrote to memory of 484 4872 explorer.exe 115 PID 4872 wrote to memory of 4732 4872 explorer.exe 116 PID 4872 wrote to memory of 4732 4872 explorer.exe 116 PID 4872 wrote to memory of 4732 4872 explorer.exe 116 PID 4872 wrote to memory of 4104 4872 explorer.exe 118 PID 4872 wrote to memory of 4104 4872 explorer.exe 118 PID 4872 wrote to memory of 4104 4872 explorer.exe 118 PID 4872 wrote to memory of 2224 4872 explorer.exe 119 PID 4872 wrote to memory of 2224 4872 explorer.exe 119 PID 4872 wrote to memory of 2224 4872 explorer.exe 119 PID 4872 wrote to memory of 640 4872 explorer.exe 120 PID 4872 wrote to memory of 640 4872 explorer.exe 120 PID 4872 wrote to memory of 640 4872 explorer.exe 120 PID 4872 wrote to memory of 1532 4872 explorer.exe 122 PID 4872 wrote to memory of 1532 4872 explorer.exe 122 PID 4872 wrote to memory of 1532 4872 explorer.exe 122 PID 4872 wrote to memory of 3400 4872 explorer.exe 124 PID 4872 wrote to memory of 3400 4872 explorer.exe 124 PID 4872 wrote to memory of 3400 4872 explorer.exe 124 PID 4872 wrote to memory of 5260 4872 explorer.exe 125 PID 4872 wrote to memory of 5260 4872 explorer.exe 125 PID 4872 wrote to memory of 5260 4872 explorer.exe 125 PID 4872 wrote to memory of 5632 4872 explorer.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00d85b7fe1b0faea4cb46c391b211c34_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5492 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1516
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5732
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3432
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:880 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6012
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5180
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4104 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1532 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5916 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:740 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5384
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5260 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5732
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4044
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5724
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5128 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6048
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5000 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3328 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2688
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5428 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5272
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3516 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:5228 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5784
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5276 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3332 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2672
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3476
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4204 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5180
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3668 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3088
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5636 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1588
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1672
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5792
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5124 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2564
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1704 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2796
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5236 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4228
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2464
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3520
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4972
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:5084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2976
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2444
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5996 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5028
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:5040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4452
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5928
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:5368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:5372 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5188
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1236
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4500
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6012 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2924
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5312
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5976
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5200
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:552 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6032
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5140
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4580
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1732
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4712
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5336
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:6096
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5328
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2164
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:864
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4768
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1584
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5240
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5692
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2768
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5f9c447b58814372bf82735740e16cb04
SHA1f7032e3469d8aa18fb5a5dc361f44fe53324fc78
SHA256e8381e52227909fa635beb3af2a6e83cbbb8ff53e852a64f502a563160e2b75a
SHA5129f07ec29fb2d5bb3c48c375c4016e8f07bbb86bfbeac56454a51130dec861620ea9a476cb5ac7899743f5a0b9834f290477868a36e0adbc43dba370f3dd005a7
-
Filesize
2.2MB
MD50beb2794865918255e9ad82c0bc9af1a
SHA1aafe71dfed265899edc1857d3e9809f3db4a8ddb
SHA2560d8f3b7a311e6b642c1ede108bd8be2602b6c032bc7f19a923dd43b4c1905ba9
SHA512f1b8ff1fc8e3c15659c3670c4f9c99986102991faf3fda2e213561df5719b74e4877661c3ff2f5edd2053a28c3e488574527e9570b68f17544621020d0f2ac15