Analysis
-
max time kernel
148s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 15:38
Behavioral task
behavioral1
Sample
b445784fb04836377e39613ee2530b38_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b445784fb04836377e39613ee2530b38_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b445784fb04836377e39613ee2530b38
-
SHA1
0f1794cbe87a961cd687f206ea66628e23e617a6
-
SHA256
7d778bb727dcb73d124dcd51be872f761597be37917cb13c6213f918956842f2
-
SHA512
3551840c73e1f5b44382eabdfb11350d5219ad3fd415daa0f1202f93c6e86cb4bcde342d1eb530f3bee66c2a580caad4d486dc60d4bc2da844889139f0f3f33e
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ1:0UzeyQMS4DqodCnoe+iitjWwwp
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b445784fb04836377e39613ee2530b38_JaffaCakes118.exe b445784fb04836377e39613ee2530b38_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b445784fb04836377e39613ee2530b38_JaffaCakes118.exe b445784fb04836377e39613ee2530b38_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 3876 explorer.exe 4088 explorer.exe 1112 spoolsv.exe 4664 spoolsv.exe 1808 spoolsv.exe 2456 spoolsv.exe 3664 spoolsv.exe 2408 spoolsv.exe 2316 spoolsv.exe 4248 spoolsv.exe 724 spoolsv.exe 4208 spoolsv.exe 4772 spoolsv.exe 2120 spoolsv.exe 3036 spoolsv.exe 3624 spoolsv.exe 1068 spoolsv.exe 320 spoolsv.exe 1060 spoolsv.exe 1568 spoolsv.exe 2092 spoolsv.exe 2068 spoolsv.exe 516 spoolsv.exe 3580 spoolsv.exe 4892 spoolsv.exe 2368 spoolsv.exe 4384 spoolsv.exe 3224 spoolsv.exe 4472 spoolsv.exe 656 spoolsv.exe 668 spoolsv.exe 3236 spoolsv.exe 4060 spoolsv.exe 2436 explorer.exe 4516 spoolsv.exe 4112 spoolsv.exe 4028 spoolsv.exe 3584 spoolsv.exe 3436 spoolsv.exe 3900 spoolsv.exe 2272 spoolsv.exe 4432 explorer.exe 2600 spoolsv.exe 2052 spoolsv.exe 2972 spoolsv.exe 3352 spoolsv.exe 4716 spoolsv.exe 4324 spoolsv.exe 4464 spoolsv.exe 4452 spoolsv.exe 4308 explorer.exe 2956 spoolsv.exe 4344 spoolsv.exe 5068 spoolsv.exe 2256 spoolsv.exe 4644 spoolsv.exe 5036 explorer.exe 2348 spoolsv.exe 4160 spoolsv.exe 4960 spoolsv.exe 3084 spoolsv.exe 2480 spoolsv.exe 3396 spoolsv.exe 4876 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
description pid Process procid_target PID 5100 set thread context of 2196 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 83 PID 3876 set thread context of 4088 3876 explorer.exe 92 PID 1112 set thread context of 4060 1112 spoolsv.exe 123 PID 4664 set thread context of 4112 4664 spoolsv.exe 126 PID 1808 set thread context of 4028 1808 spoolsv.exe 127 PID 2456 set thread context of 3584 2456 spoolsv.exe 128 PID 3664 set thread context of 3436 3664 spoolsv.exe 129 PID 2408 set thread context of 3900 2408 spoolsv.exe 130 PID 2316 set thread context of 2272 2316 spoolsv.exe 131 PID 4248 set thread context of 2052 4248 spoolsv.exe 134 PID 724 set thread context of 2972 724 spoolsv.exe 135 PID 4208 set thread context of 3352 4208 spoolsv.exe 136 PID 4772 set thread context of 4716 4772 spoolsv.exe 137 PID 2120 set thread context of 4324 2120 spoolsv.exe 138 PID 3036 set thread context of 4452 3036 spoolsv.exe 140 PID 3624 set thread context of 2956 3624 spoolsv.exe 142 PID 1068 set thread context of 4344 1068 spoolsv.exe 143 PID 320 set thread context of 5068 320 spoolsv.exe 144 PID 1060 set thread context of 4644 1060 spoolsv.exe 146 PID 1568 set thread context of 2348 1568 spoolsv.exe 148 PID 2092 set thread context of 4160 2092 spoolsv.exe 149 PID 2068 set thread context of 4960 2068 spoolsv.exe 150 PID 516 set thread context of 2480 516 spoolsv.exe 152 PID 3580 set thread context of 3396 3580 spoolsv.exe 153 PID 4892 set thread context of 4020 4892 spoolsv.exe 155 PID 2368 set thread context of 796 2368 spoolsv.exe 156 PID 4384 set thread context of 4976 4384 spoolsv.exe 157 PID 3224 set thread context of 1372 3224 spoolsv.exe 159 PID 4472 set thread context of 2384 4472 spoolsv.exe 161 PID 656 set thread context of 1100 656 spoolsv.exe 162 PID 668 set thread context of 5100 668 spoolsv.exe 164 PID 3236 set thread context of 1232 3236 spoolsv.exe 165 PID 2436 set thread context of 5088 2436 explorer.exe 171 PID 4516 set thread context of 2688 4516 spoolsv.exe 173 PID 4432 set thread context of 5040 4432 explorer.exe 179 PID 2600 set thread context of 3204 2600 spoolsv.exe 180 PID 4464 set thread context of 2968 4464 spoolsv.exe 185 PID 4308 set thread context of 2508 4308 explorer.exe 187 PID 2256 set thread context of 2772 2256 spoolsv.exe 191 PID 5036 set thread context of 3268 5036 explorer.exe 193 PID 3084 set thread context of 1504 3084 spoolsv.exe 197 PID 4876 set thread context of 3712 4876 explorer.exe 199 PID 1104 set thread context of 452 1104 spoolsv.exe 202 PID 2432 set thread context of 5052 2432 explorer.exe 204 PID 4316 set thread context of 708 4316 spoolsv.exe 206 PID 4632 set thread context of 4016 4632 explorer.exe 208 PID 4348 set thread context of 1392 4348 spoolsv.exe 209 PID 2940 set thread context of 3632 2940 spoolsv.exe 210 PID 1684 set thread context of 1028 1684 spoolsv.exe 212 PID 972 set thread context of 220 972 spoolsv.exe 213 PID 1928 set thread context of 4748 1928 spoolsv.exe 215 PID 1448 set thread context of 640 1448 explorer.exe 216 PID 4500 set thread context of 4356 4500 spoolsv.exe 217 PID 4884 set thread context of 5108 4884 spoolsv.exe 219 PID 980 set thread context of 4880 980 spoolsv.exe 220 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe b445784fb04836377e39613ee2530b38_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini b445784fb04836377e39613ee2530b38_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 2196 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4088 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2196 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 2196 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4088 explorer.exe 4060 spoolsv.exe 4060 spoolsv.exe 4112 spoolsv.exe 4112 spoolsv.exe 4028 spoolsv.exe 4028 spoolsv.exe 3584 spoolsv.exe 3584 spoolsv.exe 3436 spoolsv.exe 3436 spoolsv.exe 3900 spoolsv.exe 3900 spoolsv.exe 2272 spoolsv.exe 2272 spoolsv.exe 2052 spoolsv.exe 2052 spoolsv.exe 2972 spoolsv.exe 2972 spoolsv.exe 3352 spoolsv.exe 3352 spoolsv.exe 4716 spoolsv.exe 4716 spoolsv.exe 4324 spoolsv.exe 4324 spoolsv.exe 4452 spoolsv.exe 4452 spoolsv.exe 2956 spoolsv.exe 2956 spoolsv.exe 4344 spoolsv.exe 4344 spoolsv.exe 5068 spoolsv.exe 5068 spoolsv.exe 4644 spoolsv.exe 4644 spoolsv.exe 2348 spoolsv.exe 2348 spoolsv.exe 4160 spoolsv.exe 4160 spoolsv.exe 4960 spoolsv.exe 4960 spoolsv.exe 2480 spoolsv.exe 2480 spoolsv.exe 3396 spoolsv.exe 3396 spoolsv.exe 4020 spoolsv.exe 4020 spoolsv.exe 796 spoolsv.exe 796 spoolsv.exe 4976 spoolsv.exe 4976 spoolsv.exe 1372 spoolsv.exe 1372 spoolsv.exe 2384 spoolsv.exe 2384 spoolsv.exe 1100 spoolsv.exe 1100 spoolsv.exe 5100 spoolsv.exe 5100 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5100 wrote to memory of 4424 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 81 PID 5100 wrote to memory of 4424 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 81 PID 5100 wrote to memory of 2196 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 83 PID 5100 wrote to memory of 2196 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 83 PID 5100 wrote to memory of 2196 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 83 PID 5100 wrote to memory of 2196 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 83 PID 5100 wrote to memory of 2196 5100 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 83 PID 2196 wrote to memory of 3876 2196 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 84 PID 2196 wrote to memory of 3876 2196 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 84 PID 2196 wrote to memory of 3876 2196 b445784fb04836377e39613ee2530b38_JaffaCakes118.exe 84 PID 3876 wrote to memory of 4088 3876 explorer.exe 92 PID 3876 wrote to memory of 4088 3876 explorer.exe 92 PID 3876 wrote to memory of 4088 3876 explorer.exe 92 PID 3876 wrote to memory of 4088 3876 explorer.exe 92 PID 3876 wrote to memory of 4088 3876 explorer.exe 92 PID 4088 wrote to memory of 1112 4088 explorer.exe 93 PID 4088 wrote to memory of 1112 4088 explorer.exe 93 PID 4088 wrote to memory of 1112 4088 explorer.exe 93 PID 4088 wrote to memory of 4664 4088 explorer.exe 94 PID 4088 wrote to memory of 4664 4088 explorer.exe 94 PID 4088 wrote to memory of 4664 4088 explorer.exe 94 PID 4088 wrote to memory of 1808 4088 explorer.exe 95 PID 4088 wrote to memory of 1808 4088 explorer.exe 95 PID 4088 wrote to memory of 1808 4088 explorer.exe 95 PID 4088 wrote to memory of 2456 4088 explorer.exe 96 PID 4088 wrote to memory of 2456 4088 explorer.exe 96 PID 4088 wrote to memory of 2456 4088 explorer.exe 96 PID 4088 wrote to memory of 3664 4088 explorer.exe 97 PID 4088 wrote to memory of 3664 4088 explorer.exe 97 PID 4088 wrote to memory of 3664 4088 explorer.exe 97 PID 4088 wrote to memory of 2408 4088 explorer.exe 98 PID 4088 wrote to memory of 2408 4088 explorer.exe 98 PID 4088 wrote to memory of 2408 4088 explorer.exe 98 PID 4088 wrote to memory of 2316 4088 explorer.exe 99 PID 4088 wrote to memory of 2316 4088 explorer.exe 99 PID 4088 wrote to memory of 2316 4088 explorer.exe 99 PID 4088 wrote to memory of 4248 4088 explorer.exe 100 PID 4088 wrote to memory of 4248 4088 explorer.exe 100 PID 4088 wrote to memory of 4248 4088 explorer.exe 100 PID 4088 wrote to memory of 724 4088 explorer.exe 101 PID 4088 wrote to memory of 724 4088 explorer.exe 101 PID 4088 wrote to memory of 724 4088 explorer.exe 101 PID 4088 wrote to memory of 4208 4088 explorer.exe 102 PID 4088 wrote to memory of 4208 4088 explorer.exe 102 PID 4088 wrote to memory of 4208 4088 explorer.exe 102 PID 4088 wrote to memory of 4772 4088 explorer.exe 103 PID 4088 wrote to memory of 4772 4088 explorer.exe 103 PID 4088 wrote to memory of 4772 4088 explorer.exe 103 PID 4088 wrote to memory of 2120 4088 explorer.exe 104 PID 4088 wrote to memory of 2120 4088 explorer.exe 104 PID 4088 wrote to memory of 2120 4088 explorer.exe 104 PID 4088 wrote to memory of 3036 4088 explorer.exe 105 PID 4088 wrote to memory of 3036 4088 explorer.exe 105 PID 4088 wrote to memory of 3036 4088 explorer.exe 105 PID 4088 wrote to memory of 3624 4088 explorer.exe 106 PID 4088 wrote to memory of 3624 4088 explorer.exe 106 PID 4088 wrote to memory of 3624 4088 explorer.exe 106 PID 4088 wrote to memory of 1068 4088 explorer.exe 107 PID 4088 wrote to memory of 1068 4088 explorer.exe 107 PID 4088 wrote to memory of 1068 4088 explorer.exe 107 PID 4088 wrote to memory of 320 4088 explorer.exe 108 PID 4088 wrote to memory of 320 4088 explorer.exe 108 PID 4088 wrote to memory of 320 4088 explorer.exe 108 PID 4088 wrote to memory of 1060 4088 explorer.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\b445784fb04836377e39613ee2530b38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b445784fb04836377e39613ee2530b38_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\b445784fb04836377e39613ee2530b38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b445784fb04836377e39613ee2530b38_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1112 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4060 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2436 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5088
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4112
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4028
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3436
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2272 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4432 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5040
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:724 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4716
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2120 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4324
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4452 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4308 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2508
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:320 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5036 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3268
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4160
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4960
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3580 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3396 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4876 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3712
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4892 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4020
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1372 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2432 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5052
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:668 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3236 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1232
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4632 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4016
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2688
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1448 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:640
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2600 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3204
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1824
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2968
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1616
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2772
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3468
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1504
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:736
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1104 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:452
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2412
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:708
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2964
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4348 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1392
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:2940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3632
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1028
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:220
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2276
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1928 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4748
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5108
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4880
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1864
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1688
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4364
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2548
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4832
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2800
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1948
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4528
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4996
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1728
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3972
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4816
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4544
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4736
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4820
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3572
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5060
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4492
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5a01c29f9382646275cb50b8645d414b7
SHA15532c3d227ac7f22759a8c133558735e1fc02a5a
SHA2568c45a79ea58cb9d09c5b0f9954a6d8661116fcfa958c6f29c6c957d432be7aaf
SHA512427f3786a631663aa2859861f158450897c41b1b1a4dd8faf7183222c46261ba139d8db7885f98944c716f440fa3871da23654ff13bc720763c298253297487c
-
Filesize
2.2MB
MD5f037097a21948ff624893309717c110a
SHA119e17c23b37ed97e15db7834bab9782a8b4dce3a
SHA2565f466e3180729f3697f6c2ef6d2e301cbd886feead5a91aa081a2f5e68949042
SHA5126ddaec540444db1228497a5d14b64970618c7f5054b8b7951879d2612687096d166a6ca12ed6fa4be3d177261c9b0e73db00041697a832337b0163833d60c4e5