Analysis
-
max time kernel
149s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 19:30
Behavioral task
behavioral1
Sample
b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b4d261556e6cf35bb4ad759f1e62b6bb
-
SHA1
b82a065303e78f592a5abe6afe7c873a1b9d3f00
-
SHA256
75dd3b769b265c8720aacec743ee46135a052da318f9f7b068c4151ae2c86ff0
-
SHA512
db0f24af5d1faf446f2bf4786c1f31f71d7b14cce548740d41bee5c021639b2c6e176bc9d2e6101955dd90d046b14768f8db518e0fa4818be51d69dca3e6da25
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZg:0UzeyQMS4DqodCnoe+iitjWww0
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 4232 explorer.exe 3628 explorer.exe 4048 spoolsv.exe 840 spoolsv.exe 1920 spoolsv.exe 1624 spoolsv.exe 4880 spoolsv.exe 1824 spoolsv.exe 540 spoolsv.exe 5088 spoolsv.exe 4792 spoolsv.exe 2848 spoolsv.exe 3172 spoolsv.exe 4512 spoolsv.exe 3708 spoolsv.exe 2680 spoolsv.exe 1876 spoolsv.exe 908 spoolsv.exe 3672 spoolsv.exe 1404 spoolsv.exe 2976 spoolsv.exe 3528 spoolsv.exe 4288 spoolsv.exe 3220 spoolsv.exe 372 spoolsv.exe 4364 spoolsv.exe 4564 spoolsv.exe 3472 spoolsv.exe 4268 spoolsv.exe 3328 spoolsv.exe 960 spoolsv.exe 2424 spoolsv.exe 324 spoolsv.exe 1816 explorer.exe 3988 spoolsv.exe 1604 spoolsv.exe 3196 spoolsv.exe 2736 spoolsv.exe 4488 explorer.exe 4928 spoolsv.exe 4168 spoolsv.exe 4040 spoolsv.exe 4404 spoolsv.exe 3624 spoolsv.exe 3076 spoolsv.exe 464 spoolsv.exe 856 explorer.exe 2212 spoolsv.exe 1420 spoolsv.exe 368 spoolsv.exe 5116 spoolsv.exe 3016 spoolsv.exe 1384 spoolsv.exe 4708 explorer.exe 1688 spoolsv.exe 1288 spoolsv.exe 4688 spoolsv.exe 3400 spoolsv.exe 3464 explorer.exe 4424 spoolsv.exe 1848 spoolsv.exe 2948 spoolsv.exe 636 spoolsv.exe 4720 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 53 IoCs
description pid Process procid_target PID 3904 set thread context of 640 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 86 PID 4232 set thread context of 3628 4232 explorer.exe 95 PID 4048 set thread context of 324 4048 spoolsv.exe 126 PID 840 set thread context of 3988 840 spoolsv.exe 128 PID 1920 set thread context of 1604 1920 spoolsv.exe 129 PID 1624 set thread context of 2736 1624 spoolsv.exe 131 PID 4880 set thread context of 4928 4880 spoolsv.exe 133 PID 1824 set thread context of 4168 1824 spoolsv.exe 134 PID 540 set thread context of 4040 540 spoolsv.exe 135 PID 5088 set thread context of 4404 5088 spoolsv.exe 136 PID 4792 set thread context of 3624 4792 spoolsv.exe 137 PID 2848 set thread context of 464 2848 spoolsv.exe 139 PID 3172 set thread context of 2212 3172 spoolsv.exe 141 PID 4512 set thread context of 1420 4512 spoolsv.exe 142 PID 3708 set thread context of 368 3708 spoolsv.exe 143 PID 2680 set thread context of 5116 2680 spoolsv.exe 144 PID 1876 set thread context of 1384 1876 spoolsv.exe 146 PID 908 set thread context of 1688 908 spoolsv.exe 148 PID 3672 set thread context of 1288 3672 spoolsv.exe 149 PID 1404 set thread context of 4688 1404 spoolsv.exe 150 PID 2976 set thread context of 3400 2976 spoolsv.exe 151 PID 3528 set thread context of 1848 3528 spoolsv.exe 154 PID 4288 set thread context of 2948 4288 spoolsv.exe 155 PID 3220 set thread context of 636 3220 spoolsv.exe 156 PID 372 set thread context of 4720 372 spoolsv.exe 157 PID 4364 set thread context of 2448 4364 spoolsv.exe 158 PID 4564 set thread context of 4416 4564 spoolsv.exe 161 PID 3472 set thread context of 4492 3472 spoolsv.exe 162 PID 4268 set thread context of 2912 4268 spoolsv.exe 163 PID 3328 set thread context of 4460 3328 spoolsv.exe 165 PID 960 set thread context of 4988 960 spoolsv.exe 167 PID 2424 set thread context of 4712 2424 spoolsv.exe 170 PID 1816 set thread context of 3500 1816 explorer.exe 172 PID 4488 set thread context of 4180 4488 explorer.exe 175 PID 3196 set thread context of 4912 3196 spoolsv.exe 176 PID 856 set thread context of 4760 856 explorer.exe 181 PID 3076 set thread context of 1352 3076 spoolsv.exe 182 PID 4708 set thread context of 1984 4708 explorer.exe 187 PID 3016 set thread context of 2196 3016 spoolsv.exe 188 PID 3464 set thread context of 1560 3464 explorer.exe 193 PID 4424 set thread context of 2740 4424 spoolsv.exe 194 PID 2216 set thread context of 4172 2216 explorer.exe 198 PID 2940 set thread context of 4476 2940 spoolsv.exe 199 PID 2332 set thread context of 3480 2332 spoolsv.exe 201 PID 844 set thread context of 5036 844 explorer.exe 203 PID 2824 set thread context of 4224 2824 spoolsv.exe 204 PID 3344 set thread context of 2204 3344 spoolsv.exe 207 PID 4980 set thread context of 4824 4980 explorer.exe 209 PID 760 set thread context of 2856 760 spoolsv.exe 211 PID 4608 set thread context of 400 4608 spoolsv.exe 213 PID 4820 set thread context of 2852 4820 spoolsv.exe 215 PID 3632 set thread context of 3660 3632 explorer.exe 216 PID 3092 set thread context of 212 3092 spoolsv.exe 218 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 640 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 640 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3628 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 640 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 640 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3628 explorer.exe 3988 spoolsv.exe 3988 spoolsv.exe 1604 spoolsv.exe 1604 spoolsv.exe 2736 spoolsv.exe 2736 spoolsv.exe 4928 spoolsv.exe 4928 spoolsv.exe 4168 spoolsv.exe 4168 spoolsv.exe 4040 spoolsv.exe 4040 spoolsv.exe 4404 spoolsv.exe 4404 spoolsv.exe 3624 spoolsv.exe 3624 spoolsv.exe 464 spoolsv.exe 464 spoolsv.exe 2212 spoolsv.exe 2212 spoolsv.exe 1420 spoolsv.exe 1420 spoolsv.exe 368 spoolsv.exe 368 spoolsv.exe 5116 spoolsv.exe 5116 spoolsv.exe 1384 spoolsv.exe 1384 spoolsv.exe 1688 spoolsv.exe 1688 spoolsv.exe 1288 spoolsv.exe 1288 spoolsv.exe 4688 spoolsv.exe 4688 spoolsv.exe 3400 spoolsv.exe 3400 spoolsv.exe 1848 spoolsv.exe 1848 spoolsv.exe 2948 spoolsv.exe 2948 spoolsv.exe 636 spoolsv.exe 636 spoolsv.exe 4720 spoolsv.exe 4720 spoolsv.exe 2448 spoolsv.exe 2448 spoolsv.exe 4416 spoolsv.exe 4416 spoolsv.exe 4492 spoolsv.exe 4492 spoolsv.exe 2912 spoolsv.exe 2912 spoolsv.exe 4460 spoolsv.exe 4460 spoolsv.exe 4988 spoolsv.exe 4988 spoolsv.exe 4712 spoolsv.exe 4712 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3904 wrote to memory of 3192 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 82 PID 3904 wrote to memory of 3192 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 82 PID 3904 wrote to memory of 640 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 86 PID 3904 wrote to memory of 640 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 86 PID 3904 wrote to memory of 640 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 86 PID 3904 wrote to memory of 640 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 86 PID 3904 wrote to memory of 640 3904 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 86 PID 640 wrote to memory of 4232 640 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 87 PID 640 wrote to memory of 4232 640 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 87 PID 640 wrote to memory of 4232 640 b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe 87 PID 4232 wrote to memory of 3628 4232 explorer.exe 95 PID 4232 wrote to memory of 3628 4232 explorer.exe 95 PID 4232 wrote to memory of 3628 4232 explorer.exe 95 PID 4232 wrote to memory of 3628 4232 explorer.exe 95 PID 4232 wrote to memory of 3628 4232 explorer.exe 95 PID 3628 wrote to memory of 4048 3628 explorer.exe 96 PID 3628 wrote to memory of 4048 3628 explorer.exe 96 PID 3628 wrote to memory of 4048 3628 explorer.exe 96 PID 3628 wrote to memory of 840 3628 explorer.exe 97 PID 3628 wrote to memory of 840 3628 explorer.exe 97 PID 3628 wrote to memory of 840 3628 explorer.exe 97 PID 3628 wrote to memory of 1920 3628 explorer.exe 98 PID 3628 wrote to memory of 1920 3628 explorer.exe 98 PID 3628 wrote to memory of 1920 3628 explorer.exe 98 PID 3628 wrote to memory of 1624 3628 explorer.exe 99 PID 3628 wrote to memory of 1624 3628 explorer.exe 99 PID 3628 wrote to memory of 1624 3628 explorer.exe 99 PID 3628 wrote to memory of 4880 3628 explorer.exe 100 PID 3628 wrote to memory of 4880 3628 explorer.exe 100 PID 3628 wrote to memory of 4880 3628 explorer.exe 100 PID 3628 wrote to memory of 1824 3628 explorer.exe 101 PID 3628 wrote to memory of 1824 3628 explorer.exe 101 PID 3628 wrote to memory of 1824 3628 explorer.exe 101 PID 3628 wrote to memory of 540 3628 explorer.exe 102 PID 3628 wrote to memory of 540 3628 explorer.exe 102 PID 3628 wrote to memory of 540 3628 explorer.exe 102 PID 3628 wrote to memory of 5088 3628 explorer.exe 103 PID 3628 wrote to memory of 5088 3628 explorer.exe 103 PID 3628 wrote to memory of 5088 3628 explorer.exe 103 PID 3628 wrote to memory of 4792 3628 explorer.exe 104 PID 3628 wrote to memory of 4792 3628 explorer.exe 104 PID 3628 wrote to memory of 4792 3628 explorer.exe 104 PID 3628 wrote to memory of 2848 3628 explorer.exe 105 PID 3628 wrote to memory of 2848 3628 explorer.exe 105 PID 3628 wrote to memory of 2848 3628 explorer.exe 105 PID 3628 wrote to memory of 3172 3628 explorer.exe 106 PID 3628 wrote to memory of 3172 3628 explorer.exe 106 PID 3628 wrote to memory of 3172 3628 explorer.exe 106 PID 3628 wrote to memory of 4512 3628 explorer.exe 107 PID 3628 wrote to memory of 4512 3628 explorer.exe 107 PID 3628 wrote to memory of 4512 3628 explorer.exe 107 PID 3628 wrote to memory of 3708 3628 explorer.exe 108 PID 3628 wrote to memory of 3708 3628 explorer.exe 108 PID 3628 wrote to memory of 3708 3628 explorer.exe 108 PID 3628 wrote to memory of 2680 3628 explorer.exe 109 PID 3628 wrote to memory of 2680 3628 explorer.exe 109 PID 3628 wrote to memory of 2680 3628 explorer.exe 109 PID 3628 wrote to memory of 1876 3628 explorer.exe 110 PID 3628 wrote to memory of 1876 3628 explorer.exe 110 PID 3628 wrote to memory of 1876 3628 explorer.exe 110 PID 3628 wrote to memory of 908 3628 explorer.exe 111 PID 3628 wrote to memory of 908 3628 explorer.exe 111 PID 3628 wrote to memory of 908 3628 explorer.exe 111 PID 3628 wrote to memory of 3672 3628 explorer.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4d261556e6cf35bb4ad759f1e62b6bb_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
PID:324 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1816 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3500
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4488 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4180
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4880 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4928
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4040
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3624
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:464 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:856 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4760
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1384 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4708 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1984
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1288
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4688
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2976 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3400 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3464 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1560
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4288 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:372 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2448 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:2216 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4172
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4564 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4268 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4460 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:844 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5036
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4712 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4824
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4912
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3632 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3660
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1352
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1076
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2196
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:436
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2740
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3684
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4476
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3460
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4224
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3244
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2204
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1888
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2856
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:400
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4304
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4820 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:3092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:996
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1640
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2016
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5096
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:316
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:460
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4848
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2348
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3816
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1140
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3788
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:868
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1924
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:672
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3456
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5654660bb79a731a33bdd7b34d1d7126a
SHA122b327b910a18a05cefe54ac7750e99c492d5d9f
SHA2566380c3a3fd96c21c54891cb5bab4ca81d295d13944c1973ea9dbc2331375de82
SHA5125179a2074b70a28fe175381f21568df21acd492386bd49c44a13080c9993c019f6025aeebbf07d7439e29d3fb40612467f2696ad4b0d7242f5a10160ec7a2935
-
Filesize
2.2MB
MD5f2e287de76a16bbc31be1ca79946529a
SHA179c736b9f90fbea23aa54cfbe8d123eff2bee505
SHA25683ef6c1d1e92c769ca205fda3faf88f49331fce901438f7b841773e58f8e6b7a
SHA51202d6ac5461b7f3f8afb315abb74ede7dfce8347fd0b70df204b18c9d9bc70b6abb96cd0813487e414faa6feac745907200c40a00516d850be7f156d529faa817