Analysis
-
max time kernel
138s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 17:57
Behavioral task
behavioral1
Sample
0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
0156761d63a870ee3ff8c472e4bf8df7
-
SHA1
3d1d5dcb310c8c501755eceeb136cb52642170b0
-
SHA256
6599fb2784ec954535297cc9252d718c64abc4a3bd9675ee21fe707b9847a5ac
-
SHA512
2b0c9be43d640a1841c1b66f16679aa45588d7f68500a58878e1be51e4d9e9da086be726e84b528f1678982c49d28ca8d7dfa96be7858b5b0f2e39ceb79e29dd
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwwU
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 4576 explorer.exe 1220 explorer.exe 2200 spoolsv.exe 1512 spoolsv.exe 1604 spoolsv.exe 3724 spoolsv.exe 4576 spoolsv.exe 3244 spoolsv.exe 1600 spoolsv.exe 1752 spoolsv.exe 2132 spoolsv.exe 4004 spoolsv.exe 1720 spoolsv.exe 3848 spoolsv.exe 3496 spoolsv.exe 5020 spoolsv.exe 4108 spoolsv.exe 1480 spoolsv.exe 3188 spoolsv.exe 2676 spoolsv.exe 2684 spoolsv.exe 2128 spoolsv.exe 3860 spoolsv.exe 2836 spoolsv.exe 1060 spoolsv.exe 3524 spoolsv.exe 3324 spoolsv.exe 3656 spoolsv.exe 2308 spoolsv.exe 4988 spoolsv.exe 1444 spoolsv.exe 4596 spoolsv.exe 4300 explorer.exe 4076 spoolsv.exe 5080 spoolsv.exe 2960 spoolsv.exe 1076 spoolsv.exe 1500 spoolsv.exe 1448 spoolsv.exe 512 explorer.exe 4932 spoolsv.exe 3676 spoolsv.exe 2268 spoolsv.exe 1540 spoolsv.exe 3456 spoolsv.exe 624 explorer.exe 2552 spoolsv.exe 3808 spoolsv.exe 2784 spoolsv.exe 2764 spoolsv.exe 4780 spoolsv.exe 3764 spoolsv.exe 1272 explorer.exe 2408 spoolsv.exe 4776 spoolsv.exe 1548 spoolsv.exe 2036 spoolsv.exe 1456 spoolsv.exe 1572 explorer.exe 3944 spoolsv.exe 1048 spoolsv.exe 1208 spoolsv.exe 2792 spoolsv.exe 1588 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 46 IoCs
description pid Process procid_target PID 960 set thread context of 2916 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 88 PID 4576 set thread context of 1220 4576 explorer.exe 99 PID 2200 set thread context of 4596 2200 spoolsv.exe 129 PID 1512 set thread context of 5080 1512 spoolsv.exe 132 PID 1604 set thread context of 2960 1604 spoolsv.exe 133 PID 3724 set thread context of 1500 3724 spoolsv.exe 135 PID 4576 set thread context of 1448 4576 spoolsv.exe 136 PID 3244 set thread context of 4932 3244 spoolsv.exe 138 PID 1600 set thread context of 3676 1600 spoolsv.exe 139 PID 1752 set thread context of 2268 1752 spoolsv.exe 140 PID 2132 set thread context of 3456 2132 spoolsv.exe 142 PID 4004 set thread context of 2552 4004 spoolsv.exe 144 PID 1720 set thread context of 3808 1720 spoolsv.exe 145 PID 3848 set thread context of 2784 3848 spoolsv.exe 146 PID 3496 set thread context of 4780 3496 spoolsv.exe 148 PID 5020 set thread context of 3764 5020 spoolsv.exe 149 PID 4108 set thread context of 2408 4108 spoolsv.exe 151 PID 1480 set thread context of 4776 1480 spoolsv.exe 152 PID 3188 set thread context of 1548 3188 spoolsv.exe 153 PID 2676 set thread context of 1456 2676 spoolsv.exe 155 PID 2684 set thread context of 3944 2684 spoolsv.exe 157 PID 2128 set thread context of 1048 2128 spoolsv.exe 158 PID 3860 set thread context of 2792 3860 spoolsv.exe 160 PID 2836 set thread context of 1588 2836 spoolsv.exe 161 PID 1060 set thread context of 608 1060 spoolsv.exe 163 PID 3524 set thread context of 2396 3524 spoolsv.exe 164 PID 3324 set thread context of 556 3324 spoolsv.exe 165 PID 3656 set thread context of 2644 3656 spoolsv.exe 167 PID 2308 set thread context of 3136 2308 spoolsv.exe 169 PID 4988 set thread context of 2292 4988 spoolsv.exe 170 PID 1444 set thread context of 644 1444 spoolsv.exe 172 PID 4076 set thread context of 3136 4076 spoolsv.exe 176 PID 4300 set thread context of 5040 4300 explorer.exe 178 PID 1076 set thread context of 2788 1076 spoolsv.exe 182 PID 512 set thread context of 3464 512 explorer.exe 184 PID 1540 set thread context of 3952 1540 spoolsv.exe 188 PID 624 set thread context of 3044 624 explorer.exe 190 PID 2764 set thread context of 4700 2764 spoolsv.exe 194 PID 1272 set thread context of 4588 1272 explorer.exe 196 PID 2036 set thread context of 1388 2036 spoolsv.exe 199 PID 1572 set thread context of 3060 1572 explorer.exe 201 PID 1208 set thread context of 1532 1208 spoolsv.exe 204 PID 3572 set thread context of 4856 3572 explorer.exe 207 PID 2332 set thread context of 2740 2332 spoolsv.exe 209 PID 544 set thread context of 3916 544 explorer.exe 211 PID 1008 set thread context of 3928 1008 spoolsv.exe 213 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 2916 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1220 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2916 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 2916 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 4596 spoolsv.exe 4596 spoolsv.exe 5080 spoolsv.exe 5080 spoolsv.exe 2960 spoolsv.exe 2960 spoolsv.exe 1500 spoolsv.exe 1500 spoolsv.exe 1448 spoolsv.exe 1448 spoolsv.exe 4932 spoolsv.exe 4932 spoolsv.exe 3676 spoolsv.exe 3676 spoolsv.exe 2268 spoolsv.exe 2268 spoolsv.exe 3456 spoolsv.exe 3456 spoolsv.exe 2552 spoolsv.exe 2552 spoolsv.exe 3808 spoolsv.exe 3808 spoolsv.exe 2784 spoolsv.exe 2784 spoolsv.exe 4780 spoolsv.exe 4780 spoolsv.exe 3764 spoolsv.exe 3764 spoolsv.exe 2408 spoolsv.exe 2408 spoolsv.exe 4776 spoolsv.exe 4776 spoolsv.exe 1548 spoolsv.exe 1548 spoolsv.exe 1456 spoolsv.exe 1456 spoolsv.exe 3944 spoolsv.exe 3944 spoolsv.exe 1048 spoolsv.exe 1048 spoolsv.exe 2792 spoolsv.exe 2792 spoolsv.exe 1588 spoolsv.exe 1588 spoolsv.exe 608 spoolsv.exe 608 spoolsv.exe 2396 spoolsv.exe 2396 spoolsv.exe 556 spoolsv.exe 556 spoolsv.exe 2644 spoolsv.exe 2644 spoolsv.exe 3136 spoolsv.exe 3136 spoolsv.exe 2292 spoolsv.exe 2292 spoolsv.exe 644 spoolsv.exe 644 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 960 wrote to memory of 4512 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 83 PID 960 wrote to memory of 4512 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 83 PID 960 wrote to memory of 2916 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 88 PID 960 wrote to memory of 2916 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 88 PID 960 wrote to memory of 2916 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 88 PID 960 wrote to memory of 2916 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 88 PID 960 wrote to memory of 2916 960 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 88 PID 2916 wrote to memory of 4576 2916 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 89 PID 2916 wrote to memory of 4576 2916 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 89 PID 2916 wrote to memory of 4576 2916 0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe 89 PID 4576 wrote to memory of 1220 4576 explorer.exe 99 PID 4576 wrote to memory of 1220 4576 explorer.exe 99 PID 4576 wrote to memory of 1220 4576 explorer.exe 99 PID 4576 wrote to memory of 1220 4576 explorer.exe 99 PID 4576 wrote to memory of 1220 4576 explorer.exe 99 PID 1220 wrote to memory of 2200 1220 explorer.exe 100 PID 1220 wrote to memory of 2200 1220 explorer.exe 100 PID 1220 wrote to memory of 2200 1220 explorer.exe 100 PID 1220 wrote to memory of 1512 1220 explorer.exe 101 PID 1220 wrote to memory of 1512 1220 explorer.exe 101 PID 1220 wrote to memory of 1512 1220 explorer.exe 101 PID 1220 wrote to memory of 1604 1220 explorer.exe 102 PID 1220 wrote to memory of 1604 1220 explorer.exe 102 PID 1220 wrote to memory of 1604 1220 explorer.exe 102 PID 1220 wrote to memory of 3724 1220 explorer.exe 103 PID 1220 wrote to memory of 3724 1220 explorer.exe 103 PID 1220 wrote to memory of 3724 1220 explorer.exe 103 PID 1220 wrote to memory of 4576 1220 explorer.exe 104 PID 1220 wrote to memory of 4576 1220 explorer.exe 104 PID 1220 wrote to memory of 4576 1220 explorer.exe 104 PID 1220 wrote to memory of 3244 1220 explorer.exe 105 PID 1220 wrote to memory of 3244 1220 explorer.exe 105 PID 1220 wrote to memory of 3244 1220 explorer.exe 105 PID 1220 wrote to memory of 1600 1220 explorer.exe 106 PID 1220 wrote to memory of 1600 1220 explorer.exe 106 PID 1220 wrote to memory of 1600 1220 explorer.exe 106 PID 1220 wrote to memory of 1752 1220 explorer.exe 107 PID 1220 wrote to memory of 1752 1220 explorer.exe 107 PID 1220 wrote to memory of 1752 1220 explorer.exe 107 PID 1220 wrote to memory of 2132 1220 explorer.exe 108 PID 1220 wrote to memory of 2132 1220 explorer.exe 108 PID 1220 wrote to memory of 2132 1220 explorer.exe 108 PID 1220 wrote to memory of 4004 1220 explorer.exe 109 PID 1220 wrote to memory of 4004 1220 explorer.exe 109 PID 1220 wrote to memory of 4004 1220 explorer.exe 109 PID 1220 wrote to memory of 1720 1220 explorer.exe 110 PID 1220 wrote to memory of 1720 1220 explorer.exe 110 PID 1220 wrote to memory of 1720 1220 explorer.exe 110 PID 1220 wrote to memory of 3848 1220 explorer.exe 111 PID 1220 wrote to memory of 3848 1220 explorer.exe 111 PID 1220 wrote to memory of 3848 1220 explorer.exe 111 PID 1220 wrote to memory of 3496 1220 explorer.exe 112 PID 1220 wrote to memory of 3496 1220 explorer.exe 112 PID 1220 wrote to memory of 3496 1220 explorer.exe 112 PID 1220 wrote to memory of 5020 1220 explorer.exe 113 PID 1220 wrote to memory of 5020 1220 explorer.exe 113 PID 1220 wrote to memory of 5020 1220 explorer.exe 113 PID 1220 wrote to memory of 4108 1220 explorer.exe 114 PID 1220 wrote to memory of 4108 1220 explorer.exe 114 PID 1220 wrote to memory of 4108 1220 explorer.exe 114 PID 1220 wrote to memory of 1480 1220 explorer.exe 115 PID 1220 wrote to memory of 1480 1220 explorer.exe 115 PID 1220 wrote to memory of 1480 1220 explorer.exe 115 PID 1220 wrote to memory of 3188 1220 explorer.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0156761d63a870ee3ff8c472e4bf8df7_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4596 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4300 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5040
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1604 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3724 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1448 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:512 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3464
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1600 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2132 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3456 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:624 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3044
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3764 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1272 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4588
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4776
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3188 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1572 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3060
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3944
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2128 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2836 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3572 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4856
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3524 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2644 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:544 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3916
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3136
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:644 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:452 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3484
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3136
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4928
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2380
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2788
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:704 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3408
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3952
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2288
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4700
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3892
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1388
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4980
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1532
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1776
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2740
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3576
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3928
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3568
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3924
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3844 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:688
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4232
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2336
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3240
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2780
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3668
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3372
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4272
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1724
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4756
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1248
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2092
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4548
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2168
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1460
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1740
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4924
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5048
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1668
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3296
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4628
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1064
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:756
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5bf1a64ab18ff99db70a087c62ebca684
SHA134bbb62d45477afd9598a2198f1ea819a11a3ce9
SHA25662cb860e3cf475899fb1ffd5b40a52361c8fbca9d64ef7e41fab6c8cd3682bad
SHA512482b92f5c2cc449e1992517a2f37e8b23ea88f21ad5fd6e2b069f86efa55049992aae4011461a922f0659f57696a1c4ca3afa4b063bf7b487e9191b9d430fb00
-
Filesize
2.2MB
MD5d910f34bd13e93f49802da9e2d484217
SHA1c348e54f9b70060bdd3b650e8b1bc75d8b26aade
SHA25641e5295a9fc3f7e793b307993951414810740900da0ee67eed3d8184fd142b59
SHA512152334c641fd6d9581181a4ad410c3cbd5448b041d5eeb3d89f89db6fb1f19b9529a6e7ce89f2b05ee674837ccc64ec5955b08d32b9c47d6651f60cd6c640eb0