Analysis
-
max time kernel
120s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:27
Behavioral task
behavioral1
Sample
b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b490af29d2978dbc5e7a334b62827a9b
-
SHA1
c5bff62ebf27a0d5b6fdf5ae42c9d361df0ae0b8
-
SHA256
200251c8db9fa0fc41de44ff9bf52cc57e5c8270a9a7d1e2f47c72e11d900a4f
-
SHA512
2919f1aa07b64cd207ca3dd5ec9e93b1abccfecb7cbb8e2a6546838d85ff4c195e151c56964e74358f5e249eb83ccc060eff652178a90c1e479a76abc4cb5cfe
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWwwY
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2352 explorer.exe 3536 explorer.exe 392 spoolsv.exe 3928 spoolsv.exe 2616 spoolsv.exe 988 spoolsv.exe 1484 spoolsv.exe 1432 spoolsv.exe 3888 spoolsv.exe 4200 spoolsv.exe 4516 spoolsv.exe 3792 spoolsv.exe 4724 spoolsv.exe 3584 spoolsv.exe 2372 spoolsv.exe 788 spoolsv.exe 4972 spoolsv.exe 112 spoolsv.exe 3008 spoolsv.exe 2868 spoolsv.exe 3236 spoolsv.exe 3784 spoolsv.exe 1536 spoolsv.exe 2152 spoolsv.exe 3124 spoolsv.exe 4940 spoolsv.exe 820 spoolsv.exe 1788 spoolsv.exe 1612 spoolsv.exe 4332 spoolsv.exe 1380 spoolsv.exe 5224 spoolsv.exe 5320 spoolsv.exe 5360 explorer.exe 5444 spoolsv.exe 5516 spoolsv.exe 5592 spoolsv.exe 5980 spoolsv.exe 6036 spoolsv.exe 6104 spoolsv.exe 1208 spoolsv.exe 2572 spoolsv.exe 5212 spoolsv.exe 5204 spoolsv.exe 5664 spoolsv.exe 5724 explorer.exe 5668 spoolsv.exe 5780 spoolsv.exe 6020 spoolsv.exe 696 spoolsv.exe 976 spoolsv.exe 5600 spoolsv.exe 5604 explorer.exe 1668 spoolsv.exe 5852 spoolsv.exe 1212 spoolsv.exe 3252 spoolsv.exe 5380 explorer.exe 5596 spoolsv.exe 5948 spoolsv.exe 4668 spoolsv.exe 6060 explorer.exe 3192 spoolsv.exe 4116 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 33 IoCs
description pid Process procid_target PID 2076 set thread context of 4672 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 97 PID 2352 set thread context of 3536 2352 explorer.exe 106 PID 392 set thread context of 5320 392 spoolsv.exe 137 PID 3928 set thread context of 5444 3928 spoolsv.exe 139 PID 2616 set thread context of 5516 2616 spoolsv.exe 140 PID 988 set thread context of 5592 988 spoolsv.exe 141 PID 1484 set thread context of 6036 1484 spoolsv.exe 143 PID 1432 set thread context of 6104 1432 spoolsv.exe 144 PID 3888 set thread context of 1208 3888 spoolsv.exe 145 PID 4200 set thread context of 2572 4200 spoolsv.exe 146 PID 3792 set thread context of 5212 3792 spoolsv.exe 147 PID 4516 set thread context of 5204 4516 spoolsv.exe 148 PID 4724 set thread context of 5664 4724 spoolsv.exe 149 PID 3584 set thread context of 5668 3584 spoolsv.exe 151 PID 2372 set thread context of 5780 2372 spoolsv.exe 152 PID 788 set thread context of 6020 788 spoolsv.exe 153 PID 4972 set thread context of 976 4972 spoolsv.exe 155 PID 112 set thread context of 5600 112 spoolsv.exe 156 PID 3008 set thread context of 1668 3008 spoolsv.exe 158 PID 2868 set thread context of 5852 2868 spoolsv.exe 159 PID 3236 set thread context of 3252 3236 spoolsv.exe 161 PID 3784 set thread context of 5948 3784 spoolsv.exe 164 PID 1536 set thread context of 4668 1536 spoolsv.exe 165 PID 2152 set thread context of 4116 2152 spoolsv.exe 168 PID 3124 set thread context of 3488 3124 spoolsv.exe 170 PID 4940 set thread context of 2504 4940 spoolsv.exe 172 PID 820 set thread context of 656 820 spoolsv.exe 174 PID 1788 set thread context of 3564 1788 spoolsv.exe 177 PID 1612 set thread context of 4224 1612 spoolsv.exe 178 PID 4332 set thread context of 5032 4332 spoolsv.exe 179 PID 1380 set thread context of 1440 1380 spoolsv.exe 182 PID 5224 set thread context of 4540 5224 spoolsv.exe 188 PID 5360 set thread context of 5028 5360 explorer.exe 194 -
Drops file in Windows directory 63 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4672 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 4672 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4672 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 4672 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 3536 explorer.exe 5320 spoolsv.exe 5320 spoolsv.exe 5444 spoolsv.exe 5444 spoolsv.exe 5516 spoolsv.exe 5516 spoolsv.exe 5592 spoolsv.exe 5592 spoolsv.exe 6036 spoolsv.exe 6036 spoolsv.exe 6104 spoolsv.exe 6104 spoolsv.exe 1208 spoolsv.exe 1208 spoolsv.exe 2572 spoolsv.exe 2572 spoolsv.exe 5212 spoolsv.exe 5212 spoolsv.exe 5204 spoolsv.exe 5204 spoolsv.exe 5664 spoolsv.exe 5664 spoolsv.exe 5668 spoolsv.exe 5668 spoolsv.exe 5780 spoolsv.exe 5780 spoolsv.exe 6020 spoolsv.exe 6020 spoolsv.exe 976 spoolsv.exe 976 spoolsv.exe 5600 spoolsv.exe 5600 spoolsv.exe 1668 spoolsv.exe 1668 spoolsv.exe 5852 spoolsv.exe 5852 spoolsv.exe 3252 spoolsv.exe 3252 spoolsv.exe 5948 spoolsv.exe 5948 spoolsv.exe 4668 spoolsv.exe 4668 spoolsv.exe 4116 spoolsv.exe 4116 spoolsv.exe 3488 spoolsv.exe 3488 spoolsv.exe 2504 spoolsv.exe 2504 spoolsv.exe 656 spoolsv.exe 656 spoolsv.exe 3564 spoolsv.exe 3564 spoolsv.exe 4224 spoolsv.exe 4224 spoolsv.exe 5032 spoolsv.exe 5032 spoolsv.exe 1440 spoolsv.exe 1440 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1408 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 90 PID 2076 wrote to memory of 1408 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 90 PID 2076 wrote to memory of 4672 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 97 PID 2076 wrote to memory of 4672 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 97 PID 2076 wrote to memory of 4672 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 97 PID 2076 wrote to memory of 4672 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 97 PID 2076 wrote to memory of 4672 2076 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 97 PID 4672 wrote to memory of 2352 4672 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 98 PID 4672 wrote to memory of 2352 4672 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 98 PID 4672 wrote to memory of 2352 4672 b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe 98 PID 2352 wrote to memory of 3536 2352 explorer.exe 106 PID 2352 wrote to memory of 3536 2352 explorer.exe 106 PID 2352 wrote to memory of 3536 2352 explorer.exe 106 PID 2352 wrote to memory of 3536 2352 explorer.exe 106 PID 2352 wrote to memory of 3536 2352 explorer.exe 106 PID 3536 wrote to memory of 392 3536 explorer.exe 107 PID 3536 wrote to memory of 392 3536 explorer.exe 107 PID 3536 wrote to memory of 392 3536 explorer.exe 107 PID 3536 wrote to memory of 3928 3536 explorer.exe 108 PID 3536 wrote to memory of 3928 3536 explorer.exe 108 PID 3536 wrote to memory of 3928 3536 explorer.exe 108 PID 3536 wrote to memory of 2616 3536 explorer.exe 109 PID 3536 wrote to memory of 2616 3536 explorer.exe 109 PID 3536 wrote to memory of 2616 3536 explorer.exe 109 PID 3536 wrote to memory of 988 3536 explorer.exe 110 PID 3536 wrote to memory of 988 3536 explorer.exe 110 PID 3536 wrote to memory of 988 3536 explorer.exe 110 PID 3536 wrote to memory of 1484 3536 explorer.exe 111 PID 3536 wrote to memory of 1484 3536 explorer.exe 111 PID 3536 wrote to memory of 1484 3536 explorer.exe 111 PID 3536 wrote to memory of 1432 3536 explorer.exe 112 PID 3536 wrote to memory of 1432 3536 explorer.exe 112 PID 3536 wrote to memory of 1432 3536 explorer.exe 112 PID 3536 wrote to memory of 3888 3536 explorer.exe 113 PID 3536 wrote to memory of 3888 3536 explorer.exe 113 PID 3536 wrote to memory of 3888 3536 explorer.exe 113 PID 3536 wrote to memory of 4200 3536 explorer.exe 114 PID 3536 wrote to memory of 4200 3536 explorer.exe 114 PID 3536 wrote to memory of 4200 3536 explorer.exe 114 PID 3536 wrote to memory of 4516 3536 explorer.exe 115 PID 3536 wrote to memory of 4516 3536 explorer.exe 115 PID 3536 wrote to memory of 4516 3536 explorer.exe 115 PID 3536 wrote to memory of 3792 3536 explorer.exe 116 PID 3536 wrote to memory of 3792 3536 explorer.exe 116 PID 3536 wrote to memory of 3792 3536 explorer.exe 116 PID 3536 wrote to memory of 4724 3536 explorer.exe 117 PID 3536 wrote to memory of 4724 3536 explorer.exe 117 PID 3536 wrote to memory of 4724 3536 explorer.exe 117 PID 3536 wrote to memory of 3584 3536 explorer.exe 118 PID 3536 wrote to memory of 3584 3536 explorer.exe 118 PID 3536 wrote to memory of 3584 3536 explorer.exe 118 PID 3536 wrote to memory of 2372 3536 explorer.exe 119 PID 3536 wrote to memory of 2372 3536 explorer.exe 119 PID 3536 wrote to memory of 2372 3536 explorer.exe 119 PID 3536 wrote to memory of 788 3536 explorer.exe 120 PID 3536 wrote to memory of 788 3536 explorer.exe 120 PID 3536 wrote to memory of 788 3536 explorer.exe 120 PID 3536 wrote to memory of 4972 3536 explorer.exe 121 PID 3536 wrote to memory of 4972 3536 explorer.exe 121 PID 3536 wrote to memory of 4972 3536 explorer.exe 121 PID 3536 wrote to memory of 112 3536 explorer.exe 122 PID 3536 wrote to memory of 112 3536 explorer.exe 122 PID 3536 wrote to memory of 112 3536 explorer.exe 122 PID 3536 wrote to memory of 3008 3536 explorer.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b490af29d2978dbc5e7a334b62827a9b_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5320 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5360 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5028
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3928 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5592
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6036
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6104
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5204
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4724 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5664 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5724 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4560
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5668
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2372 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:788 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6020
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:112 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5600 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5604 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5888
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2868 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3236 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3252 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5380 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4408
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4668 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6060 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5624
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3124 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3488 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2884 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5708
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:820 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:656 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5376 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:400
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1788 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5032 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:6112 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5864
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4540
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3152 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3020
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5128
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2444
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5992
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:6088
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3468
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2240
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4312
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5268
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5112
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3076
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3684
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:908
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:428
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5124 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5764
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1976 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5252
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4456
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5536
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:6096
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3872
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:6040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5420
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:956
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2416 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1304
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5912
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5484
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3176
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:232
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1076
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1500
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1952
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6052
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2300
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2292
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5428
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2132
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4000
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5156
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2216
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:432
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4820
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:81⤵PID:544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5c14aeff9c3f8f4fb2dd6b6d593e8ce9e
SHA1be860b29d00899fac71c5a9660486a6a7b95cba6
SHA2565cdc68c3022331867b4ab5ae41eecbc3baba92623f03507bed58c9600261202d
SHA512391f4387faeaa202cb17c92e29a05c0e41e91a2f0171c5f373b107402af40ab6a0d9734bd7add58fe261da34c7adfbede361f2f570b5abe2a2c88e83ff741656
-
Filesize
2.2MB
MD533bf1ae282b20f6a22d2bcad72d0fdda
SHA1ff06a8294d43be1a379b4eefea7b17ea54eb77e6
SHA256628cd2ecfeb10507985c8997a80fff5f0b51c0cc3d7d6fc19363d47e8e931df2
SHA51201b4adeebd81c9cb8dedfb401f47f035b7b126496044dd1e0b33b2a3c61073918c43c2f0ad1d4e63fbb18aba83a8c548f5110bc01aecd486ce6807e89bf744c9