Analysis
-
max time kernel
97s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 19:01
Behavioral task
behavioral1
Sample
b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b4b43abcb8b8c8929334e4dc61f8abd4
-
SHA1
43623acb361c632d3f3cc3378991553d4417df5e
-
SHA256
2f56a9b3793e42538c371b31ff0d3bd8c0923bec42fcc2f045195482188cccf8
-
SHA512
5eea88c18204ab7c2c4a454d8f4572f04b7b547b42d68c01c5989a1f3ab244ffe9d92b1d4b56e4f83983fd19b308e0c22d0c5a64a4c82e69c48bd0c0cc90f321
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZY:0UzeyQMS4DqodCnoe+iitjWwwk
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2456 explorer.exe 328 explorer.exe 1608 spoolsv.exe 1444 spoolsv.exe 2224 spoolsv.exe 2400 spoolsv.exe 1100 spoolsv.exe 1560 spoolsv.exe 2640 spoolsv.exe 2508 spoolsv.exe 1192 spoolsv.exe 2756 spoolsv.exe 1636 spoolsv.exe 1120 spoolsv.exe 1432 spoolsv.exe 2008 spoolsv.exe 2296 spoolsv.exe 2484 spoolsv.exe 1824 spoolsv.exe 1404 spoolsv.exe 672 spoolsv.exe 2992 spoolsv.exe 2068 spoolsv.exe 1588 spoolsv.exe 2564 spoolsv.exe 112 spoolsv.exe 1564 spoolsv.exe 2240 spoolsv.exe 2796 spoolsv.exe 2056 spoolsv.exe 2920 spoolsv.exe 2468 spoolsv.exe 2184 spoolsv.exe 836 spoolsv.exe 2276 spoolsv.exe 2820 spoolsv.exe 2940 spoolsv.exe 2464 spoolsv.exe 2404 spoolsv.exe 1036 spoolsv.exe 1048 spoolsv.exe 1704 spoolsv.exe 2136 spoolsv.exe 1512 spoolsv.exe 1148 spoolsv.exe 1688 spoolsv.exe 2568 spoolsv.exe 936 spoolsv.exe 444 spoolsv.exe 940 spoolsv.exe 2652 spoolsv.exe 1420 spoolsv.exe 1900 spoolsv.exe 2540 spoolsv.exe 2692 spoolsv.exe 1632 spoolsv.exe 2200 spoolsv.exe 1568 spoolsv.exe 1744 spoolsv.exe 2748 spoolsv.exe 536 spoolsv.exe 2876 spoolsv.exe 2248 spoolsv.exe 2020 spoolsv.exe -
Loads dropped DLL 64 IoCs
pid Process 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3024 set thread context of 2660 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 29 PID 2456 set thread context of 328 2456 explorer.exe 33 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 328 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2144 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 28 PID 3024 wrote to memory of 2144 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 28 PID 3024 wrote to memory of 2144 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 28 PID 3024 wrote to memory of 2144 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 28 PID 3024 wrote to memory of 2660 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 29 PID 3024 wrote to memory of 2660 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 29 PID 3024 wrote to memory of 2660 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 29 PID 3024 wrote to memory of 2660 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 29 PID 3024 wrote to memory of 2660 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 29 PID 3024 wrote to memory of 2660 3024 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 29 PID 2660 wrote to memory of 2456 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2456 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2456 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2456 2660 b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe 30 PID 2456 wrote to memory of 328 2456 explorer.exe 33 PID 2456 wrote to memory of 328 2456 explorer.exe 33 PID 2456 wrote to memory of 328 2456 explorer.exe 33 PID 2456 wrote to memory of 328 2456 explorer.exe 33 PID 2456 wrote to memory of 328 2456 explorer.exe 33 PID 2456 wrote to memory of 328 2456 explorer.exe 33 PID 328 wrote to memory of 1608 328 explorer.exe 34 PID 328 wrote to memory of 1608 328 explorer.exe 34 PID 328 wrote to memory of 1608 328 explorer.exe 34 PID 328 wrote to memory of 1608 328 explorer.exe 34 PID 328 wrote to memory of 1444 328 explorer.exe 35 PID 328 wrote to memory of 1444 328 explorer.exe 35 PID 328 wrote to memory of 1444 328 explorer.exe 35 PID 328 wrote to memory of 1444 328 explorer.exe 35 PID 328 wrote to memory of 2224 328 explorer.exe 36 PID 328 wrote to memory of 2224 328 explorer.exe 36 PID 328 wrote to memory of 2224 328 explorer.exe 36 PID 328 wrote to memory of 2224 328 explorer.exe 36 PID 328 wrote to memory of 2400 328 explorer.exe 37 PID 328 wrote to memory of 2400 328 explorer.exe 37 PID 328 wrote to memory of 2400 328 explorer.exe 37 PID 328 wrote to memory of 2400 328 explorer.exe 37 PID 328 wrote to memory of 1100 328 explorer.exe 38 PID 328 wrote to memory of 1100 328 explorer.exe 38 PID 328 wrote to memory of 1100 328 explorer.exe 38 PID 328 wrote to memory of 1100 328 explorer.exe 38 PID 328 wrote to memory of 1560 328 explorer.exe 39 PID 328 wrote to memory of 1560 328 explorer.exe 39 PID 328 wrote to memory of 1560 328 explorer.exe 39 PID 328 wrote to memory of 1560 328 explorer.exe 39 PID 328 wrote to memory of 2640 328 explorer.exe 40 PID 328 wrote to memory of 2640 328 explorer.exe 40 PID 328 wrote to memory of 2640 328 explorer.exe 40 PID 328 wrote to memory of 2640 328 explorer.exe 40 PID 328 wrote to memory of 2508 328 explorer.exe 41 PID 328 wrote to memory of 2508 328 explorer.exe 41 PID 328 wrote to memory of 2508 328 explorer.exe 41 PID 328 wrote to memory of 2508 328 explorer.exe 41 PID 328 wrote to memory of 1192 328 explorer.exe 42 PID 328 wrote to memory of 1192 328 explorer.exe 42 PID 328 wrote to memory of 1192 328 explorer.exe 42 PID 328 wrote to memory of 1192 328 explorer.exe 42 PID 328 wrote to memory of 2756 328 explorer.exe 43 PID 328 wrote to memory of 2756 328 explorer.exe 43 PID 328 wrote to memory of 2756 328 explorer.exe 43 PID 328 wrote to memory of 2756 328 explorer.exe 43 PID 328 wrote to memory of 1636 328 explorer.exe 44 PID 328 wrote to memory of 1636 328 explorer.exe 44 PID 328 wrote to memory of 1636 328 explorer.exe 44 PID 328 wrote to memory of 1636 328 explorer.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b43abcb8b8c8929334e4dc61f8abd4_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4528
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4792
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4532
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5232
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6672
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6776
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2508
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2756
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1636
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1120
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1432
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2008
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2296
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2484
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1824
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1404
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:672
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2992
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2068
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1588
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2564
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:112
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1564
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2240
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2796
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2056
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2920
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2468
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2184
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:836
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2276
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2820
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2940
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2464
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2404
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1048
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1704
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2136
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1512
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1148
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1688
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2568
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:936
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:444
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:940
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2652
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1420
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:1900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2540
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2692
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2200
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1568
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2748
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:536
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2876
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2248
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:2020
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:268
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2592
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2116
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:572
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2320
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1684
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2552
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2260
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2932
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2448
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2204
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3124
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3280
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3436
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3596
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3756
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3916
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4084
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3204
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3388
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3564
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3744
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3184
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3308
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3488
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3688
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3888
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3092
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3220
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3448
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3708
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3912
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3132
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3360
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3660
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1976
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3160
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3312
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3776
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4092
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3256
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3544
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3904
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3196
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3500
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4040
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3364
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3804
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4008
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3680
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4000
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3652
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3384
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3960
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3584
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3456
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3200
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4024
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3272
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3604
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3084
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3120
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3480
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3648
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4208
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4388
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4544
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4704
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4864
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5012
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4144
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4324
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4504
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4680
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4852
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5044
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4196
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4428
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4624
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4808
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5100
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4280
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4524
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4768
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4988
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4184
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4472
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4744
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4984
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4264
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4584
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4912
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4128
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6584
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD58155cf090e3ae77951a8eb25261baa38
SHA12ba80102aa624c6e8c2f5078f324827edf2d4551
SHA25697ae655971a2d5660ae40ef0a5fd2df68a429d306709a7d95b30d35a1f87e538
SHA512c2e38907d43cbf2b685ce90c692b70665d24097f709027c6d55839a7eebfacb63ad4a7df1a93931e7c8027878e3216926f5994f6941109bdc165978a2d2fbe16
-
Filesize
2.2MB
MD536f9b396a5b7465472be42453333f65e
SHA12def75669ff55baaabadc4b450b07d5207be0fef
SHA25611581c0d1d25d7cbadc43d97fc5478d38dfdbb9b5ae0d4cdc557808d6d5532d4
SHA51251d36d268de1a61534f360a5c8e8e49bc3eb4ddc8957fee54608e2834be0e252bcc6adf59485a34132751f3f447eabebeb439005aa7b65c84f160c1eb850c20f