Analysis
-
max time kernel
104s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 15:02
Behavioral task
behavioral1
Sample
a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a1154740f8d08a5f585b87fdc8e4970e
-
SHA1
eca5b063d665b3673cda04536fde455bd99ff5ed
-
SHA256
4612aa33c5212ab945a7017cc1dd1f8d6cf7d240df667271983f30678b001587
-
SHA512
c9128b6fa60051cc1172c7d5ee8b082836cb147f9f6c6a67f55dbf3b9f93fa2a310741f5df6f970805d5a1dfa823238352d86c2d4c410dc262e384d1ac53fe7d
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwb
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe -
Executes dropped EXE 56 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exepid process 1848 explorer.exe 392 explorer.exe 468 spoolsv.exe 2304 spoolsv.exe 2152 spoolsv.exe 3152 spoolsv.exe 2328 spoolsv.exe 3612 spoolsv.exe 1968 spoolsv.exe 4116 spoolsv.exe 3556 spoolsv.exe 4388 spoolsv.exe 3304 spoolsv.exe 2804 spoolsv.exe 3580 spoolsv.exe 2004 spoolsv.exe 1444 spoolsv.exe 552 spoolsv.exe 1044 spoolsv.exe 760 spoolsv.exe 2984 spoolsv.exe 4280 spoolsv.exe 2036 spoolsv.exe 5016 spoolsv.exe 1860 spoolsv.exe 1048 spoolsv.exe 4204 spoolsv.exe 1976 explorer.exe 2356 spoolsv.exe 648 spoolsv.exe 1472 spoolsv.exe 1592 explorer.exe 880 spoolsv.exe 3264 spoolsv.exe 2944 spoolsv.exe 4944 explorer.exe 1960 spoolsv.exe 2300 spoolsv.exe 5008 spoolsv.exe 4592 explorer.exe 2488 spoolsv.exe 4360 spoolsv.exe 1836 spoolsv.exe 3380 spoolsv.exe 3528 explorer.exe 116 spoolsv.exe 2664 spoolsv.exe 1828 spoolsv.exe 3240 explorer.exe 632 spoolsv.exe 2744 spoolsv.exe 1808 spoolsv.exe 1028 spoolsv.exe 4252 explorer.exe 2936 spoolsv.exe 4844 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 16 IoCs
Processes:
a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 1484 set thread context of 5040 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe PID 1848 set thread context of 392 1848 explorer.exe explorer.exe PID 468 set thread context of 4204 468 spoolsv.exe spoolsv.exe PID 2304 set thread context of 648 2304 spoolsv.exe spoolsv.exe PID 2152 set thread context of 1472 2152 spoolsv.exe spoolsv.exe PID 3152 set thread context of 880 3152 spoolsv.exe spoolsv.exe PID 2328 set thread context of 2944 2328 spoolsv.exe spoolsv.exe PID 3612 set thread context of 1960 3612 spoolsv.exe spoolsv.exe PID 1968 set thread context of 5008 1968 spoolsv.exe spoolsv.exe PID 4116 set thread context of 4360 4116 spoolsv.exe spoolsv.exe PID 3556 set thread context of 3380 3556 spoolsv.exe spoolsv.exe PID 4388 set thread context of 2664 4388 spoolsv.exe spoolsv.exe PID 3304 set thread context of 1828 3304 spoolsv.exe spoolsv.exe PID 2804 set thread context of 2744 2804 spoolsv.exe spoolsv.exe PID 3580 set thread context of 1028 3580 spoolsv.exe spoolsv.exe PID 2004 set thread context of 4844 2004 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 44 IoCs
Processes:
spoolsv.exespoolsv.exea1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exea1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exeexplorer.exepid process 5040 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe 5040 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe -
Suspicious use of SetWindowsHookEx 34 IoCs
Processes:
a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 5040 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe 5040 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 392 explorer.exe 4204 spoolsv.exe 4204 spoolsv.exe 648 spoolsv.exe 648 spoolsv.exe 1472 spoolsv.exe 1472 spoolsv.exe 880 spoolsv.exe 880 spoolsv.exe 2944 spoolsv.exe 2944 spoolsv.exe 1960 spoolsv.exe 1960 spoolsv.exe 5008 spoolsv.exe 5008 spoolsv.exe 4360 spoolsv.exe 4360 spoolsv.exe 3380 spoolsv.exe 3380 spoolsv.exe 2664 spoolsv.exe 2664 spoolsv.exe 1828 spoolsv.exe 1828 spoolsv.exe 2744 spoolsv.exe 2744 spoolsv.exe 1028 spoolsv.exe 1028 spoolsv.exe 4844 spoolsv.exe 4844 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exea1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1484 wrote to memory of 3076 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe splwow64.exe PID 1484 wrote to memory of 3076 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe splwow64.exe PID 1484 wrote to memory of 5040 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe PID 1484 wrote to memory of 5040 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe PID 1484 wrote to memory of 5040 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe PID 1484 wrote to memory of 5040 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe PID 1484 wrote to memory of 5040 1484 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe PID 5040 wrote to memory of 1848 5040 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe explorer.exe PID 5040 wrote to memory of 1848 5040 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe explorer.exe PID 5040 wrote to memory of 1848 5040 a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe explorer.exe PID 1848 wrote to memory of 392 1848 explorer.exe explorer.exe PID 1848 wrote to memory of 392 1848 explorer.exe explorer.exe PID 1848 wrote to memory of 392 1848 explorer.exe explorer.exe PID 1848 wrote to memory of 392 1848 explorer.exe explorer.exe PID 1848 wrote to memory of 392 1848 explorer.exe explorer.exe PID 392 wrote to memory of 468 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 468 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 468 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2304 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2304 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2304 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2152 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2152 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2152 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3152 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3152 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3152 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2328 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2328 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2328 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3612 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3612 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3612 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 1968 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 1968 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 1968 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 4116 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 4116 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 4116 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3556 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3556 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3556 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 4388 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 4388 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 4388 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3304 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3304 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3304 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2804 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2804 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2804 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3580 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3580 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 3580 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2004 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2004 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 2004 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 1444 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 1444 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 1444 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 552 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 552 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 552 392 explorer.exe spoolsv.exe PID 392 wrote to memory of 1044 392 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1154740f8d08a5f585b87fdc8e4970e_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4204 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1976 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:348
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1592 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4820
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2944 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4944 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1960 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5008 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4592 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4556
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4360 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3380 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3528 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:912
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1828 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3240 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4856
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2804 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3580 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4252 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3960
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4792
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:552 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2728
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1456
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4656
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3968
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2876
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3672
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1480
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4280 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3124
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3472
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4036
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3396
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4400
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2348
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4548
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:784
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2300 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3308
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1836 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5044
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4000
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2268
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3772
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:744
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2952
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1616
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4320
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2412
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4668
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2928
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4676
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4524
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4300
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4536
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4788
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1120
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1844
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3352
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4900
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1600
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4836
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3896
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3000
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4140
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3424
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1512
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2548
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:380
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD51d3feec4c5199d51975f293fe7a7892f
SHA1bb6559f5678e8c29a6f7ccd6a3fc1342b434e2ef
SHA256c7158f44fd9063f5ecb00441362ff8d5a5482f0a0de095eca7eb22c3a447f28a
SHA51215bf821910c4a73390dc234bd7f4b4e0038878653dc2ed92635c77ac6bb0a332dbeefa702bd5dd83f039b88dce09ef6bc95b1d30a7712962ebdccf8fc495a108
-
Filesize
2.2MB
MD5e9199201cf449b4d85a464be522e44e0
SHA166700ed33bb0f0928e1d0d20960946c1922a6942
SHA25656793b98741fad89c409fa7f6755867deb760a69a97ac309082777edb3c400f1
SHA512a024d12ac12b56656fb662e882669cd59c7ffea0bbc1c63b033c910b136c61320e4ce3fbc8d125a05f2c2b5f11c0568c750fc761875b2ffc84e23e277e35dc13