Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:07
Behavioral task
behavioral1
Sample
b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b47bcc1a06b48881dd6aec04573ff932
-
SHA1
fc88c6a62a3120897063a6cdf45189709149f8e6
-
SHA256
c28fc3ab2f94d9fd5446e607fa0fcdb8b220c90b03f2924a48721b09c58d42db
-
SHA512
bba28ed4f01f1ff807c0f635a909428b5dbf9dc9bba4f8f391175ae2a6484dfae1b1d5328c98e332138411dfa6c81a79d40cf7ca229de966bd6c7be49ffa0139
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZZ:0UzeyQMS4DqodCnoe+iitjWwwN
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 4668 explorer.exe 3640 explorer.exe 4392 spoolsv.exe 3920 spoolsv.exe 4280 spoolsv.exe 2920 spoolsv.exe 1968 spoolsv.exe 4952 spoolsv.exe 3228 spoolsv.exe 1640 spoolsv.exe 4416 spoolsv.exe 2392 spoolsv.exe 3100 spoolsv.exe 224 spoolsv.exe 3496 spoolsv.exe 2140 spoolsv.exe 3136 spoolsv.exe 4808 spoolsv.exe 1044 spoolsv.exe 1168 spoolsv.exe 4292 spoolsv.exe 3756 spoolsv.exe 4632 spoolsv.exe 2364 spoolsv.exe 4064 spoolsv.exe 4636 spoolsv.exe 812 spoolsv.exe 932 spoolsv.exe 2912 spoolsv.exe 4812 spoolsv.exe 2368 spoolsv.exe 4860 spoolsv.exe 1464 spoolsv.exe 804 spoolsv.exe 436 spoolsv.exe 3684 spoolsv.exe 2420 spoolsv.exe 3764 spoolsv.exe 764 spoolsv.exe 3840 spoolsv.exe 624 spoolsv.exe 1284 explorer.exe 1380 spoolsv.exe 1504 spoolsv.exe 3404 spoolsv.exe 1684 spoolsv.exe 2736 explorer.exe 3016 spoolsv.exe 4680 spoolsv.exe 448 spoolsv.exe 900 spoolsv.exe 2976 spoolsv.exe 4428 spoolsv.exe 4940 spoolsv.exe 4928 explorer.exe 2304 spoolsv.exe 4560 spoolsv.exe 4296 spoolsv.exe 3184 spoolsv.exe 4344 spoolsv.exe 2500 spoolsv.exe 3148 spoolsv.exe 3652 spoolsv.exe 4212 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 56 IoCs
description pid Process procid_target PID 4724 set thread context of 3512 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 87 PID 4668 set thread context of 3640 4668 explorer.exe 96 PID 4392 set thread context of 624 4392 spoolsv.exe 135 PID 3920 set thread context of 1504 3920 spoolsv.exe 138 PID 4280 set thread context of 3404 4280 spoolsv.exe 139 PID 2920 set thread context of 1684 2920 spoolsv.exe 140 PID 1968 set thread context of 3016 1968 spoolsv.exe 142 PID 4952 set thread context of 448 4952 spoolsv.exe 144 PID 3228 set thread context of 900 3228 spoolsv.exe 145 PID 1640 set thread context of 2976 1640 spoolsv.exe 146 PID 4416 set thread context of 4428 4416 spoolsv.exe 147 PID 2392 set thread context of 4940 2392 spoolsv.exe 148 PID 3100 set thread context of 4560 3100 spoolsv.exe 151 PID 224 set thread context of 4296 224 spoolsv.exe 152 PID 3496 set thread context of 3184 3496 spoolsv.exe 153 PID 2140 set thread context of 4344 2140 spoolsv.exe 154 PID 3136 set thread context of 2500 3136 spoolsv.exe 155 PID 4808 set thread context of 3148 4808 spoolsv.exe 156 PID 1044 set thread context of 3652 1044 spoolsv.exe 157 PID 1168 set thread context of 4212 1168 spoolsv.exe 158 PID 4292 set thread context of 1104 4292 spoolsv.exe 160 PID 3756 set thread context of 4548 3756 spoolsv.exe 161 PID 4632 set thread context of 4000 4632 spoolsv.exe 163 PID 2364 set thread context of 656 2364 spoolsv.exe 164 PID 4636 set thread context of 5092 4636 spoolsv.exe 165 PID 4064 set thread context of 1956 4064 spoolsv.exe 166 PID 932 set thread context of 4496 932 spoolsv.exe 167 PID 812 set thread context of 4840 812 spoolsv.exe 168 PID 2912 set thread context of 1820 2912 spoolsv.exe 169 PID 4812 set thread context of 536 4812 spoolsv.exe 170 PID 2368 set thread context of 4556 2368 spoolsv.exe 171 PID 4860 set thread context of 3748 4860 spoolsv.exe 172 PID 1464 set thread context of 1264 1464 spoolsv.exe 173 PID 804 set thread context of 1208 804 spoolsv.exe 174 PID 436 set thread context of 760 436 spoolsv.exe 175 PID 3684 set thread context of 3416 3684 spoolsv.exe 176 PID 2420 set thread context of 2672 2420 spoolsv.exe 177 PID 3764 set thread context of 3660 3764 spoolsv.exe 178 PID 764 set thread context of 1636 764 spoolsv.exe 179 PID 3840 set thread context of 372 3840 spoolsv.exe 180 PID 1284 set thread context of 4884 1284 explorer.exe 181 PID 1380 set thread context of 4452 1380 spoolsv.exe 183 PID 2736 set thread context of 4792 2736 explorer.exe 188 PID 4680 set thread context of 2156 4680 spoolsv.exe 189 PID 4928 set thread context of 3948 4928 explorer.exe 199 PID 2304 set thread context of 4356 2304 spoolsv.exe 204 PID 3980 set thread context of 1032 3980 explorer.exe 207 PID 1740 set thread context of 1940 1740 spoolsv.exe 209 PID 3332 set thread context of 5084 3332 spoolsv.exe 211 PID 3664 set thread context of 4384 3664 explorer.exe 212 PID 716 set thread context of 676 716 spoolsv.exe 213 PID 3396 set thread context of 4464 3396 spoolsv.exe 214 PID 2400 set thread context of 4720 2400 spoolsv.exe 216 PID 4196 set thread context of 3272 4196 explorer.exe 218 PID 4876 set thread context of 5008 4876 spoolsv.exe 220 PID 3988 set thread context of 2832 3988 spoolsv.exe 222 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3512 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 3512 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3640 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3512 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 3512 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 3640 explorer.exe 624 spoolsv.exe 624 spoolsv.exe 1504 spoolsv.exe 1504 spoolsv.exe 3404 spoolsv.exe 3404 spoolsv.exe 1684 spoolsv.exe 1684 spoolsv.exe 3016 spoolsv.exe 3016 spoolsv.exe 448 spoolsv.exe 448 spoolsv.exe 900 spoolsv.exe 900 spoolsv.exe 2976 spoolsv.exe 2976 spoolsv.exe 4428 spoolsv.exe 4428 spoolsv.exe 4940 spoolsv.exe 4940 spoolsv.exe 4560 spoolsv.exe 4560 spoolsv.exe 4296 spoolsv.exe 4296 spoolsv.exe 3184 spoolsv.exe 3184 spoolsv.exe 4344 spoolsv.exe 4344 spoolsv.exe 2500 spoolsv.exe 2500 spoolsv.exe 3148 spoolsv.exe 3148 spoolsv.exe 3652 spoolsv.exe 3652 spoolsv.exe 4212 spoolsv.exe 4212 spoolsv.exe 1104 spoolsv.exe 1104 spoolsv.exe 4548 spoolsv.exe 4548 spoolsv.exe 4000 spoolsv.exe 4000 spoolsv.exe 656 spoolsv.exe 656 spoolsv.exe 5092 spoolsv.exe 5092 spoolsv.exe 1956 spoolsv.exe 1956 spoolsv.exe 4496 spoolsv.exe 4496 spoolsv.exe 4840 spoolsv.exe 4840 spoolsv.exe 1820 spoolsv.exe 1820 spoolsv.exe 536 spoolsv.exe 536 spoolsv.exe 4556 spoolsv.exe 4556 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 4168 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 82 PID 4724 wrote to memory of 4168 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 82 PID 4724 wrote to memory of 3512 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 87 PID 4724 wrote to memory of 3512 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 87 PID 4724 wrote to memory of 3512 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 87 PID 4724 wrote to memory of 3512 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 87 PID 4724 wrote to memory of 3512 4724 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 87 PID 3512 wrote to memory of 4668 3512 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 88 PID 3512 wrote to memory of 4668 3512 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 88 PID 3512 wrote to memory of 4668 3512 b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe 88 PID 4668 wrote to memory of 3640 4668 explorer.exe 96 PID 4668 wrote to memory of 3640 4668 explorer.exe 96 PID 4668 wrote to memory of 3640 4668 explorer.exe 96 PID 4668 wrote to memory of 3640 4668 explorer.exe 96 PID 4668 wrote to memory of 3640 4668 explorer.exe 96 PID 3640 wrote to memory of 4392 3640 explorer.exe 97 PID 3640 wrote to memory of 4392 3640 explorer.exe 97 PID 3640 wrote to memory of 4392 3640 explorer.exe 97 PID 3640 wrote to memory of 3920 3640 explorer.exe 98 PID 3640 wrote to memory of 3920 3640 explorer.exe 98 PID 3640 wrote to memory of 3920 3640 explorer.exe 98 PID 3640 wrote to memory of 4280 3640 explorer.exe 99 PID 3640 wrote to memory of 4280 3640 explorer.exe 99 PID 3640 wrote to memory of 4280 3640 explorer.exe 99 PID 3640 wrote to memory of 2920 3640 explorer.exe 100 PID 3640 wrote to memory of 2920 3640 explorer.exe 100 PID 3640 wrote to memory of 2920 3640 explorer.exe 100 PID 3640 wrote to memory of 1968 3640 explorer.exe 101 PID 3640 wrote to memory of 1968 3640 explorer.exe 101 PID 3640 wrote to memory of 1968 3640 explorer.exe 101 PID 3640 wrote to memory of 4952 3640 explorer.exe 102 PID 3640 wrote to memory of 4952 3640 explorer.exe 102 PID 3640 wrote to memory of 4952 3640 explorer.exe 102 PID 3640 wrote to memory of 3228 3640 explorer.exe 103 PID 3640 wrote to memory of 3228 3640 explorer.exe 103 PID 3640 wrote to memory of 3228 3640 explorer.exe 103 PID 3640 wrote to memory of 1640 3640 explorer.exe 104 PID 3640 wrote to memory of 1640 3640 explorer.exe 104 PID 3640 wrote to memory of 1640 3640 explorer.exe 104 PID 3640 wrote to memory of 4416 3640 explorer.exe 105 PID 3640 wrote to memory of 4416 3640 explorer.exe 105 PID 3640 wrote to memory of 4416 3640 explorer.exe 105 PID 3640 wrote to memory of 2392 3640 explorer.exe 106 PID 3640 wrote to memory of 2392 3640 explorer.exe 106 PID 3640 wrote to memory of 2392 3640 explorer.exe 106 PID 3640 wrote to memory of 3100 3640 explorer.exe 107 PID 3640 wrote to memory of 3100 3640 explorer.exe 107 PID 3640 wrote to memory of 3100 3640 explorer.exe 107 PID 3640 wrote to memory of 224 3640 explorer.exe 108 PID 3640 wrote to memory of 224 3640 explorer.exe 108 PID 3640 wrote to memory of 224 3640 explorer.exe 108 PID 3640 wrote to memory of 3496 3640 explorer.exe 109 PID 3640 wrote to memory of 3496 3640 explorer.exe 109 PID 3640 wrote to memory of 3496 3640 explorer.exe 109 PID 3640 wrote to memory of 2140 3640 explorer.exe 110 PID 3640 wrote to memory of 2140 3640 explorer.exe 110 PID 3640 wrote to memory of 2140 3640 explorer.exe 110 PID 3640 wrote to memory of 3136 3640 explorer.exe 111 PID 3640 wrote to memory of 3136 3640 explorer.exe 111 PID 3640 wrote to memory of 3136 3640 explorer.exe 111 PID 3640 wrote to memory of 4808 3640 explorer.exe 112 PID 3640 wrote to memory of 4808 3640 explorer.exe 112 PID 3640 wrote to memory of 4808 3640 explorer.exe 112 PID 3640 wrote to memory of 1044 3640 explorer.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b47bcc1a06b48881dd6aec04573ff932_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:624 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1284 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4884
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4280 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2736 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4792
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4952 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:448
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4416 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4428
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4940 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4928 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3948
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4560
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4296
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3148
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3652
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1104 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:3980 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1032
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4548
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:656
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4636 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5092
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4840
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1820
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3748
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1264
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:804 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:760
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3416
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2420 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2672
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3660
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:372
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4452
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3664 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4384
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2156
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4196 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3272
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4356
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1860
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1940
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2372
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5084
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4720
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3644
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2832
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2352
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1712
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1768
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4576
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1436
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3324
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3612
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:960
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1528
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2696
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:392
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4336
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2996
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1736
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4816
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1388
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5b62b26964b221308e8a59afa24a7a141
SHA13369c219ffa6719d1fa5b16ef31d51c8d94535de
SHA2563d02ce9e4ec7819c9cb9c3eb3a25a58938403304478c9dafe0436ba4343d829d
SHA51229d32da21c5b6e83bec0dc52a60e34c435e11b0cb7ab8ee6f54d7c4f41e8677433e6853d0f49c4ee4cf39e46f289920d51f2d9871768e48d636da4d32d1bb3c1
-
Filesize
2.2MB
MD556a5a3358028e637782c86eeb4b98484
SHA1fe40af57918275b7622d7d467c0a9e8c5c7fc8bf
SHA256a4624fdb31d51a2a93c7df3dee3cf519a8d171c9a35ae90ab01114ee1d7a1a36
SHA51284e9d681e2c1fa78d6ae147aadaecd2f7c4d79373d25fc69fe65feb37d765d838227b5c1fda9f61d6eb8e91061808d437706c983f365df60f4f16bf101d4bf92