Analysis
-
max time kernel
148s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2024, 03:11
Behavioral task
behavioral1
Sample
024885959930437241cd532dba529335_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
024885959930437241cd532dba529335_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
024885959930437241cd532dba529335
-
SHA1
c22e8f6b1ada57d0a391b466f55b4533f5a99496
-
SHA256
725001c5379619960cc42fb8e6ca0fd56c9ca61b24d67e8b0126a38e7d76e7cb
-
SHA512
50d218ce70d8ed900da78e2b74e1628b3db2d1fbc016477d085f7529f03b2a4af8e13d00d86fde4598206720f7fd35d34995e8f9a523fc913a96f65963952595
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwi
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\024885959930437241cd532dba529335_JaffaCakes118.exe 024885959930437241cd532dba529335_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\024885959930437241cd532dba529335_JaffaCakes118.exe 024885959930437241cd532dba529335_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 1012 explorer.exe 4896 explorer.exe 3984 spoolsv.exe 2636 spoolsv.exe 4424 spoolsv.exe 4664 spoolsv.exe 1272 spoolsv.exe 4172 spoolsv.exe 4884 spoolsv.exe 1472 spoolsv.exe 3928 spoolsv.exe 3648 spoolsv.exe 208 spoolsv.exe 4476 spoolsv.exe 1012 spoolsv.exe 3640 spoolsv.exe 1352 spoolsv.exe 3544 spoolsv.exe 2476 spoolsv.exe 4944 spoolsv.exe 956 spoolsv.exe 3456 spoolsv.exe 1068 spoolsv.exe 3172 spoolsv.exe 2136 spoolsv.exe 3080 spoolsv.exe 4408 spoolsv.exe 1248 spoolsv.exe 3588 spoolsv.exe 5060 spoolsv.exe 3652 spoolsv.exe 836 spoolsv.exe 2320 spoolsv.exe 4480 explorer.exe 2652 spoolsv.exe 4820 spoolsv.exe 4416 spoolsv.exe 404 spoolsv.exe 3796 spoolsv.exe 1292 spoolsv.exe 4636 explorer.exe 3424 spoolsv.exe 4340 spoolsv.exe 2800 spoolsv.exe 2972 spoolsv.exe 2220 spoolsv.exe 5096 explorer.exe 4120 spoolsv.exe 4736 spoolsv.exe 4524 spoolsv.exe 2544 spoolsv.exe 716 spoolsv.exe 2804 explorer.exe 3496 spoolsv.exe 4684 spoolsv.exe 3968 spoolsv.exe 4736 spoolsv.exe 4272 spoolsv.exe 2072 spoolsv.exe 228 explorer.exe 748 spoolsv.exe 3776 spoolsv.exe 2200 spoolsv.exe 3600 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
description pid Process procid_target PID 4676 set thread context of 756 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 88 PID 1012 set thread context of 4896 1012 explorer.exe 99 PID 3984 set thread context of 836 3984 spoolsv.exe 129 PID 2636 set thread context of 2652 2636 spoolsv.exe 132 PID 4424 set thread context of 4820 4424 spoolsv.exe 133 PID 4664 set thread context of 4416 4664 spoolsv.exe 134 PID 1272 set thread context of 3796 1272 spoolsv.exe 136 PID 4172 set thread context of 1292 4172 spoolsv.exe 137 PID 4884 set thread context of 3424 4884 spoolsv.exe 139 PID 1472 set thread context of 4340 1472 spoolsv.exe 140 PID 3928 set thread context of 2972 3928 spoolsv.exe 142 PID 3648 set thread context of 2220 3648 spoolsv.exe 143 PID 208 set thread context of 4120 208 spoolsv.exe 145 PID 4476 set thread context of 4736 4476 spoolsv.exe 146 PID 1012 set thread context of 4524 1012 spoolsv.exe 147 PID 3640 set thread context of 716 3640 spoolsv.exe 149 PID 1352 set thread context of 3496 1352 spoolsv.exe 151 PID 3544 set thread context of 4684 3544 spoolsv.exe 152 PID 2476 set thread context of 4736 2476 spoolsv.exe 154 PID 4944 set thread context of 4272 4944 spoolsv.exe 155 PID 956 set thread context of 2072 956 spoolsv.exe 156 PID 3456 set thread context of 748 3456 spoolsv.exe 158 PID 1068 set thread context of 2200 1068 spoolsv.exe 160 PID 3172 set thread context of 3600 3172 spoolsv.exe 161 PID 2136 set thread context of 3684 2136 spoolsv.exe 162 PID 3080 set thread context of 4184 3080 spoolsv.exe 164 PID 4408 set thread context of 1612 4408 spoolsv.exe 166 PID 1248 set thread context of 1324 1248 spoolsv.exe 167 PID 3588 set thread context of 4556 3588 spoolsv.exe 169 PID 5060 set thread context of 4676 5060 spoolsv.exe 170 PID 3652 set thread context of 3048 3652 spoolsv.exe 172 PID 2320 set thread context of 3992 2320 spoolsv.exe 176 PID 4480 set thread context of 688 4480 explorer.exe 179 PID 404 set thread context of 2720 404 spoolsv.exe 181 PID 4636 set thread context of 4832 4636 explorer.exe 184 PID 2800 set thread context of 436 2800 spoolsv.exe 187 PID 5096 set thread context of 2400 5096 explorer.exe 189 PID 2544 set thread context of 3552 2544 spoolsv.exe 193 PID 2804 set thread context of 4936 2804 explorer.exe 195 PID 3968 set thread context of 5112 3968 spoolsv.exe 198 PID 228 set thread context of 2640 228 explorer.exe 201 PID 3776 set thread context of 1064 3776 spoolsv.exe 204 PID 676 set thread context of 1140 676 explorer.exe 206 PID 3888 set thread context of 3096 3888 spoolsv.exe 209 PID 4924 set thread context of 536 4924 explorer.exe 211 PID 1180 set thread context of 3976 1180 spoolsv.exe 212 PID 2584 set thread context of 3516 2584 explorer.exe 213 PID 4160 set thread context of 4600 4160 spoolsv.exe 215 PID 4344 set thread context of 4716 4344 spoolsv.exe 217 PID 1908 set thread context of 2228 1908 explorer.exe 219 PID 1820 set thread context of 684 1820 spoolsv.exe 220 PID 3528 set thread context of 860 3528 spoolsv.exe 222 PID 5104 set thread context of 4920 5104 explorer.exe 224 PID 3676 set thread context of 3124 3676 spoolsv.exe 225 PID 3908 set thread context of 4908 3908 spoolsv.exe 226 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini 024885959930437241cd532dba529335_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 756 024885959930437241cd532dba529335_JaffaCakes118.exe 756 024885959930437241cd532dba529335_JaffaCakes118.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4896 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 756 024885959930437241cd532dba529335_JaffaCakes118.exe 756 024885959930437241cd532dba529335_JaffaCakes118.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 4896 explorer.exe 836 spoolsv.exe 836 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 4820 spoolsv.exe 4820 spoolsv.exe 4416 spoolsv.exe 4416 spoolsv.exe 3796 spoolsv.exe 3796 spoolsv.exe 1292 spoolsv.exe 1292 spoolsv.exe 3424 spoolsv.exe 3424 spoolsv.exe 4340 spoolsv.exe 4340 spoolsv.exe 2972 spoolsv.exe 2972 spoolsv.exe 2220 spoolsv.exe 2220 spoolsv.exe 4120 spoolsv.exe 4120 spoolsv.exe 4736 spoolsv.exe 4736 spoolsv.exe 4524 spoolsv.exe 4524 spoolsv.exe 716 spoolsv.exe 716 spoolsv.exe 3496 spoolsv.exe 3496 spoolsv.exe 4684 spoolsv.exe 4684 spoolsv.exe 4736 spoolsv.exe 4736 spoolsv.exe 4272 spoolsv.exe 4272 spoolsv.exe 2072 spoolsv.exe 2072 spoolsv.exe 748 spoolsv.exe 748 spoolsv.exe 2200 spoolsv.exe 2200 spoolsv.exe 3600 spoolsv.exe 3600 spoolsv.exe 3684 spoolsv.exe 3684 spoolsv.exe 4184 spoolsv.exe 4184 spoolsv.exe 1612 spoolsv.exe 1612 spoolsv.exe 1324 spoolsv.exe 1324 spoolsv.exe 4556 spoolsv.exe 4556 spoolsv.exe 4676 spoolsv.exe 4676 spoolsv.exe 3048 spoolsv.exe 3048 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 2120 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 83 PID 4676 wrote to memory of 2120 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 83 PID 4676 wrote to memory of 756 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 88 PID 4676 wrote to memory of 756 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 88 PID 4676 wrote to memory of 756 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 88 PID 4676 wrote to memory of 756 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 88 PID 4676 wrote to memory of 756 4676 024885959930437241cd532dba529335_JaffaCakes118.exe 88 PID 756 wrote to memory of 1012 756 024885959930437241cd532dba529335_JaffaCakes118.exe 89 PID 756 wrote to memory of 1012 756 024885959930437241cd532dba529335_JaffaCakes118.exe 89 PID 756 wrote to memory of 1012 756 024885959930437241cd532dba529335_JaffaCakes118.exe 89 PID 1012 wrote to memory of 4896 1012 explorer.exe 99 PID 1012 wrote to memory of 4896 1012 explorer.exe 99 PID 1012 wrote to memory of 4896 1012 explorer.exe 99 PID 1012 wrote to memory of 4896 1012 explorer.exe 99 PID 1012 wrote to memory of 4896 1012 explorer.exe 99 PID 4896 wrote to memory of 3984 4896 explorer.exe 100 PID 4896 wrote to memory of 3984 4896 explorer.exe 100 PID 4896 wrote to memory of 3984 4896 explorer.exe 100 PID 4896 wrote to memory of 2636 4896 explorer.exe 101 PID 4896 wrote to memory of 2636 4896 explorer.exe 101 PID 4896 wrote to memory of 2636 4896 explorer.exe 101 PID 4896 wrote to memory of 4424 4896 explorer.exe 102 PID 4896 wrote to memory of 4424 4896 explorer.exe 102 PID 4896 wrote to memory of 4424 4896 explorer.exe 102 PID 4896 wrote to memory of 4664 4896 explorer.exe 103 PID 4896 wrote to memory of 4664 4896 explorer.exe 103 PID 4896 wrote to memory of 4664 4896 explorer.exe 103 PID 4896 wrote to memory of 1272 4896 explorer.exe 104 PID 4896 wrote to memory of 1272 4896 explorer.exe 104 PID 4896 wrote to memory of 1272 4896 explorer.exe 104 PID 4896 wrote to memory of 4172 4896 explorer.exe 105 PID 4896 wrote to memory of 4172 4896 explorer.exe 105 PID 4896 wrote to memory of 4172 4896 explorer.exe 105 PID 4896 wrote to memory of 4884 4896 explorer.exe 106 PID 4896 wrote to memory of 4884 4896 explorer.exe 106 PID 4896 wrote to memory of 4884 4896 explorer.exe 106 PID 4896 wrote to memory of 1472 4896 explorer.exe 107 PID 4896 wrote to memory of 1472 4896 explorer.exe 107 PID 4896 wrote to memory of 1472 4896 explorer.exe 107 PID 4896 wrote to memory of 3928 4896 explorer.exe 108 PID 4896 wrote to memory of 3928 4896 explorer.exe 108 PID 4896 wrote to memory of 3928 4896 explorer.exe 108 PID 4896 wrote to memory of 3648 4896 explorer.exe 109 PID 4896 wrote to memory of 3648 4896 explorer.exe 109 PID 4896 wrote to memory of 3648 4896 explorer.exe 109 PID 4896 wrote to memory of 208 4896 explorer.exe 110 PID 4896 wrote to memory of 208 4896 explorer.exe 110 PID 4896 wrote to memory of 208 4896 explorer.exe 110 PID 4896 wrote to memory of 4476 4896 explorer.exe 111 PID 4896 wrote to memory of 4476 4896 explorer.exe 111 PID 4896 wrote to memory of 4476 4896 explorer.exe 111 PID 4896 wrote to memory of 1012 4896 explorer.exe 112 PID 4896 wrote to memory of 1012 4896 explorer.exe 112 PID 4896 wrote to memory of 1012 4896 explorer.exe 112 PID 4896 wrote to memory of 3640 4896 explorer.exe 113 PID 4896 wrote to memory of 3640 4896 explorer.exe 113 PID 4896 wrote to memory of 3640 4896 explorer.exe 113 PID 4896 wrote to memory of 1352 4896 explorer.exe 114 PID 4896 wrote to memory of 1352 4896 explorer.exe 114 PID 4896 wrote to memory of 1352 4896 explorer.exe 114 PID 4896 wrote to memory of 3544 4896 explorer.exe 115 PID 4896 wrote to memory of 3544 4896 explorer.exe 115 PID 4896 wrote to memory of 3544 4896 explorer.exe 115 PID 4896 wrote to memory of 2476 4896 explorer.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\024885959930437241cd532dba529335_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\024885959930437241cd532dba529335_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\024885959930437241cd532dba529335_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\024885959930437241cd532dba529335_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4480 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:688
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2636 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1272 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4636 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4832
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3424
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3928 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2220 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5096 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2400
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4120
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1012 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4524
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:716 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2804 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4936
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4272
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2072 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:228 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2640
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3600
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3684 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:676 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1140
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1324 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4924 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:536
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3048 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2584 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3516
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2320 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3992
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:1908 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2228
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2720
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5104 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4920
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:436
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4840
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3552
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2884
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5112
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4572
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3776 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1064
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4156
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3096
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3476
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4600
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4716
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4192
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1820 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:860
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4148
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3124
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2252
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2656
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4520
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2580
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1648
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4324
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4080
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1028
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1344
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4880
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1144
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2308
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1404
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4984
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1448
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5e536bcf6b807ac2feec0e698bbe2a834
SHA1d670212e7014e497452aae8d57b9e7e68ccdfa91
SHA256b7bca74a8cb8b44111dffe0c4d9ace70eaa8fe597874fdd0255a21e2fa35f17f
SHA5123055b7ea090e11afa8fb4f513f7ba0c8fc0076cfc359c6236812a0bae4132a0ac93c86a77463428fe037154c6ff612e7442d465abf17d82efb623119fba4d791
-
Filesize
2.2MB
MD51196d4c2ea38afa94cf9bb229ec5921d
SHA1040d76da8aa54d6d9b5e0c77b55324e008f50111
SHA2566a5c32fad24ef2fcef1926d0fecdfdcd0c1dac5598a5ae809842ebc6ac3e395c
SHA51277ec6c67d3829250ea870198709e920c81e04b21837250acff54e0988200c7df7ad0a636f8d3fbbee35560498f2c32243be2dec5992c8ea9d7d379da420d6745