Analysis
-
max time kernel
150s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 14:29
Behavioral task
behavioral1
Sample
00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
00f9d6d5224c25e77186a9a82187ef8d
-
SHA1
62ae0ce90d299cb9861b2e8599f3668390364305
-
SHA256
42a86257b661bc5cd0558642e7ac016ac2b9e6db4b1c591813a64d4f6e21b867
-
SHA512
159b768d092566becc00b7135c0330c060ee3fb115925bae40334a31893412f76e5d73c09e3da682122c6abed9c143de411c4073a7f64738923db751f8dfeb5b
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ0:0UzeyQMS4DqodCnoe+iitjWwwI
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2932 explorer.exe 2836 explorer.exe 2552 spoolsv.exe 1124 spoolsv.exe 916 spoolsv.exe 704 spoolsv.exe 2932 spoolsv.exe 4452 spoolsv.exe 220 spoolsv.exe 3284 spoolsv.exe 2528 spoolsv.exe 2612 spoolsv.exe 2816 spoolsv.exe 2756 spoolsv.exe 1656 spoolsv.exe 2984 spoolsv.exe 2156 spoolsv.exe 4624 spoolsv.exe 3288 spoolsv.exe 3852 spoolsv.exe 3632 spoolsv.exe 4588 spoolsv.exe 2460 spoolsv.exe 3192 spoolsv.exe 2384 spoolsv.exe 4536 spoolsv.exe 2272 spoolsv.exe 4368 spoolsv.exe 5028 spoolsv.exe 1952 spoolsv.exe 3400 spoolsv.exe 4440 spoolsv.exe 1728 spoolsv.exe 776 explorer.exe 3844 spoolsv.exe 184 spoolsv.exe 4528 spoolsv.exe 4260 spoolsv.exe 1096 spoolsv.exe 4172 explorer.exe 1668 spoolsv.exe 1940 spoolsv.exe 4924 spoolsv.exe 3680 spoolsv.exe 4004 spoolsv.exe 4488 spoolsv.exe 4872 explorer.exe 2808 spoolsv.exe 536 spoolsv.exe 1108 spoolsv.exe 4248 spoolsv.exe 5016 explorer.exe 684 spoolsv.exe 1548 spoolsv.exe 1400 spoolsv.exe 1508 spoolsv.exe 1916 spoolsv.exe 5052 spoolsv.exe 3108 explorer.exe 1020 spoolsv.exe 4820 spoolsv.exe 4960 spoolsv.exe 3080 spoolsv.exe 764 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 53 IoCs
description pid Process procid_target PID 2876 set thread context of 652 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 91 PID 2932 set thread context of 2836 2932 explorer.exe 100 PID 2552 set thread context of 1728 2552 spoolsv.exe 133 PID 1124 set thread context of 3844 1124 spoolsv.exe 135 PID 916 set thread context of 184 916 spoolsv.exe 136 PID 704 set thread context of 4528 704 spoolsv.exe 137 PID 2932 set thread context of 1096 2932 spoolsv.exe 139 PID 4452 set thread context of 1668 4452 spoolsv.exe 141 PID 220 set thread context of 1940 220 spoolsv.exe 142 PID 3284 set thread context of 4924 3284 spoolsv.exe 143 PID 2528 set thread context of 3680 2528 spoolsv.exe 144 PID 2612 set thread context of 4488 2612 spoolsv.exe 146 PID 2816 set thread context of 2808 2816 spoolsv.exe 148 PID 2756 set thread context of 1108 2756 spoolsv.exe 150 PID 1656 set thread context of 4248 1656 spoolsv.exe 151 PID 2984 set thread context of 684 2984 spoolsv.exe 153 PID 2156 set thread context of 1548 2156 spoolsv.exe 154 PID 4624 set thread context of 1400 4624 spoolsv.exe 155 PID 3288 set thread context of 1916 3288 spoolsv.exe 157 PID 3852 set thread context of 5052 3852 spoolsv.exe 158 PID 3632 set thread context of 1020 3632 spoolsv.exe 160 PID 4588 set thread context of 4820 4588 spoolsv.exe 161 PID 2460 set thread context of 3080 2460 spoolsv.exe 163 PID 3192 set thread context of 764 3192 spoolsv.exe 164 PID 2384 set thread context of 3392 2384 spoolsv.exe 166 PID 4536 set thread context of 1164 4536 spoolsv.exe 168 PID 2272 set thread context of 4444 2272 spoolsv.exe 169 PID 4368 set thread context of 1156 4368 spoolsv.exe 170 PID 5028 set thread context of 2360 5028 spoolsv.exe 172 PID 1952 set thread context of 2852 1952 spoolsv.exe 174 PID 3400 set thread context of 4592 3400 spoolsv.exe 175 PID 4440 set thread context of 4132 4440 spoolsv.exe 180 PID 776 set thread context of 2292 776 explorer.exe 182 PID 4260 set thread context of 3712 4260 spoolsv.exe 185 PID 4172 set thread context of 1976 4172 explorer.exe 187 PID 4004 set thread context of 4316 4004 spoolsv.exe 190 PID 4872 set thread context of 1540 4872 explorer.exe 192 PID 536 set thread context of 3328 536 spoolsv.exe 196 PID 5016 set thread context of 4556 5016 explorer.exe 198 PID 1508 set thread context of 1944 1508 spoolsv.exe 201 PID 3108 set thread context of 5000 3108 explorer.exe 204 PID 4960 set thread context of 1272 4960 spoolsv.exe 206 PID 4856 set thread context of 1612 4856 explorer.exe 209 PID 4496 set thread context of 1288 4496 spoolsv.exe 211 PID 3104 set thread context of 4240 3104 explorer.exe 213 PID 1860 set thread context of 636 1860 spoolsv.exe 215 PID 4612 set thread context of 920 4612 explorer.exe 216 PID 3100 set thread context of 3616 3100 spoolsv.exe 217 PID 3216 set thread context of 5116 3216 spoolsv.exe 219 PID 2912 set thread context of 4620 2912 spoolsv.exe 221 PID 2532 set thread context of 4744 2532 explorer.exe 223 PID 1552 set thread context of 884 1552 spoolsv.exe 224 PID 1404 set thread context of 4784 1404 spoolsv.exe 226 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 652 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 652 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2836 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 652 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 652 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 2836 explorer.exe 1728 spoolsv.exe 1728 spoolsv.exe 3844 spoolsv.exe 3844 spoolsv.exe 184 spoolsv.exe 184 spoolsv.exe 4528 spoolsv.exe 4528 spoolsv.exe 1096 spoolsv.exe 1096 spoolsv.exe 1668 spoolsv.exe 1668 spoolsv.exe 1940 spoolsv.exe 1940 spoolsv.exe 4924 spoolsv.exe 4924 spoolsv.exe 3680 spoolsv.exe 3680 spoolsv.exe 4488 spoolsv.exe 4488 spoolsv.exe 2808 spoolsv.exe 2808 spoolsv.exe 1108 spoolsv.exe 1108 spoolsv.exe 4248 spoolsv.exe 4248 spoolsv.exe 684 spoolsv.exe 684 spoolsv.exe 1548 spoolsv.exe 1548 spoolsv.exe 1400 spoolsv.exe 1400 spoolsv.exe 1916 spoolsv.exe 1916 spoolsv.exe 5052 spoolsv.exe 5052 spoolsv.exe 1020 spoolsv.exe 1020 spoolsv.exe 4820 spoolsv.exe 4820 spoolsv.exe 3080 spoolsv.exe 3080 spoolsv.exe 764 spoolsv.exe 764 spoolsv.exe 3392 spoolsv.exe 3392 spoolsv.exe 1164 spoolsv.exe 1164 spoolsv.exe 4444 spoolsv.exe 4444 spoolsv.exe 1156 spoolsv.exe 1156 spoolsv.exe 2360 spoolsv.exe 2360 spoolsv.exe 2852 spoolsv.exe 2852 spoolsv.exe 4592 spoolsv.exe 4592 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 3416 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 86 PID 2876 wrote to memory of 3416 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 86 PID 2876 wrote to memory of 652 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 91 PID 2876 wrote to memory of 652 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 91 PID 2876 wrote to memory of 652 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 91 PID 2876 wrote to memory of 652 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 91 PID 2876 wrote to memory of 652 2876 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 91 PID 652 wrote to memory of 2932 652 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 92 PID 652 wrote to memory of 2932 652 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 92 PID 652 wrote to memory of 2932 652 00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe 92 PID 2932 wrote to memory of 2836 2932 explorer.exe 100 PID 2932 wrote to memory of 2836 2932 explorer.exe 100 PID 2932 wrote to memory of 2836 2932 explorer.exe 100 PID 2932 wrote to memory of 2836 2932 explorer.exe 100 PID 2932 wrote to memory of 2836 2932 explorer.exe 100 PID 2836 wrote to memory of 2552 2836 explorer.exe 101 PID 2836 wrote to memory of 2552 2836 explorer.exe 101 PID 2836 wrote to memory of 2552 2836 explorer.exe 101 PID 2836 wrote to memory of 1124 2836 explorer.exe 102 PID 2836 wrote to memory of 1124 2836 explorer.exe 102 PID 2836 wrote to memory of 1124 2836 explorer.exe 102 PID 2836 wrote to memory of 916 2836 explorer.exe 103 PID 2836 wrote to memory of 916 2836 explorer.exe 103 PID 2836 wrote to memory of 916 2836 explorer.exe 103 PID 2836 wrote to memory of 704 2836 explorer.exe 104 PID 2836 wrote to memory of 704 2836 explorer.exe 104 PID 2836 wrote to memory of 704 2836 explorer.exe 104 PID 2836 wrote to memory of 2932 2836 explorer.exe 105 PID 2836 wrote to memory of 2932 2836 explorer.exe 105 PID 2836 wrote to memory of 2932 2836 explorer.exe 105 PID 2836 wrote to memory of 4452 2836 explorer.exe 106 PID 2836 wrote to memory of 4452 2836 explorer.exe 106 PID 2836 wrote to memory of 4452 2836 explorer.exe 106 PID 2836 wrote to memory of 220 2836 explorer.exe 107 PID 2836 wrote to memory of 220 2836 explorer.exe 107 PID 2836 wrote to memory of 220 2836 explorer.exe 107 PID 2836 wrote to memory of 3284 2836 explorer.exe 108 PID 2836 wrote to memory of 3284 2836 explorer.exe 108 PID 2836 wrote to memory of 3284 2836 explorer.exe 108 PID 2836 wrote to memory of 2528 2836 explorer.exe 109 PID 2836 wrote to memory of 2528 2836 explorer.exe 109 PID 2836 wrote to memory of 2528 2836 explorer.exe 109 PID 2836 wrote to memory of 2612 2836 explorer.exe 110 PID 2836 wrote to memory of 2612 2836 explorer.exe 110 PID 2836 wrote to memory of 2612 2836 explorer.exe 110 PID 2836 wrote to memory of 2816 2836 explorer.exe 113 PID 2836 wrote to memory of 2816 2836 explorer.exe 113 PID 2836 wrote to memory of 2816 2836 explorer.exe 113 PID 2836 wrote to memory of 2756 2836 explorer.exe 114 PID 2836 wrote to memory of 2756 2836 explorer.exe 114 PID 2836 wrote to memory of 2756 2836 explorer.exe 114 PID 2836 wrote to memory of 1656 2836 explorer.exe 115 PID 2836 wrote to memory of 1656 2836 explorer.exe 115 PID 2836 wrote to memory of 1656 2836 explorer.exe 115 PID 2836 wrote to memory of 2984 2836 explorer.exe 116 PID 2836 wrote to memory of 2984 2836 explorer.exe 116 PID 2836 wrote to memory of 2984 2836 explorer.exe 116 PID 2836 wrote to memory of 2156 2836 explorer.exe 117 PID 2836 wrote to memory of 2156 2836 explorer.exe 117 PID 2836 wrote to memory of 2156 2836 explorer.exe 117 PID 2836 wrote to memory of 4624 2836 explorer.exe 118 PID 2836 wrote to memory of 4624 2836 explorer.exe 118 PID 2836 wrote to memory of 4624 2836 explorer.exe 118 PID 2836 wrote to memory of 3288 2836 explorer.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00f9d6d5224c25e77186a9a82187ef8d_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2552 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1728 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:776 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2292
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1124 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1096 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4172 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1976
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4452 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4488 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4872 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1540
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4248 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5016 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4556
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2156 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3288 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3852 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5052 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3108 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5000
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4856 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1612
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3392
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2272 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1156 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3104 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4240
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2360
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1952 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4592 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4612 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:920
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4132
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:2532 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4744
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4260 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3712
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1360 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1652
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4316
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1448 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1588
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3328
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2988
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1508 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1944
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2192
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1272
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3524
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1288
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2316
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3616
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4332
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4620
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:812
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1552 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:884
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4784
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:540
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3628
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5108
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1064
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2004
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3888
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:852
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2320
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4328
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1920
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:440
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1576
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5040
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2704
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4340
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1980
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2260
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5492007d6a2e8fff6675fe3bb9ce93a3a
SHA1ef806e457c6d52da6b82cef55e5e067324f8c3af
SHA2564f1c1fe6a313234c72ae36716ec7ad9d38e2677081262964fb119f3c10d94f23
SHA51229404c2e94375f5fc197e0cae112bf7ef094dc193722751bfcd7b76bd07f91d9e043344fcd2f91d8db573620a0ee5778940f974a201686cc6488d1134ee60d51
-
Filesize
2.2MB
MD512c35a3fd3b229695774e09a2024178c
SHA1f951a5e6dcc8f57bc0ec650882369f7d82bf0a00
SHA2568d7a8e59f04d6aac1ae5adc4970429a4c02341972deef27ec4535a8a03acc177
SHA512b0738a972dc0e39b0babf47ad87d75cba959934106d6951ada0cc20518eae23211fcd31902c77023b2b43bd91db46090a86dc7bb163d4c3e1b6b88272b445c7e