Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2024 23:23
Behavioral task
behavioral1
Sample
db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
db68c330dce5a2a361233ed80dc3008b
-
SHA1
fb0501ca933bf8ee20c8731d38a9e99c97f65696
-
SHA256
5f2042d3fc2c4dd2fe230a2cfb30127d98c79ca8cbbd32bd615e0f533c14728a
-
SHA512
960e9e29f1c20029d697b73e826f486ee61b7d1306cf80aa4f65c0009fd534e8a0c5ebb5ec2233c7465086391c1715dcce0145d045332520a12ae66dff62f42b
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ5:0UzeyQMS4DqodCnoe+iitjWww1
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 3892 explorer.exe 3440 explorer.exe 4596 spoolsv.exe 3044 spoolsv.exe 1680 spoolsv.exe 4504 spoolsv.exe 3808 spoolsv.exe 4652 spoolsv.exe 3364 spoolsv.exe 4988 spoolsv.exe 4352 spoolsv.exe 3972 spoolsv.exe 4656 spoolsv.exe 3936 spoolsv.exe 1556 spoolsv.exe 4776 spoolsv.exe 3492 spoolsv.exe 4916 spoolsv.exe 1616 spoolsv.exe 5016 spoolsv.exe 536 spoolsv.exe 728 spoolsv.exe 1608 spoolsv.exe 2360 spoolsv.exe 804 spoolsv.exe 1672 spoolsv.exe 528 spoolsv.exe 828 spoolsv.exe 1684 spoolsv.exe 4564 spoolsv.exe 220 explorer.exe 4356 spoolsv.exe 4544 spoolsv.exe 4152 spoolsv.exe 4936 spoolsv.exe 2024 explorer.exe 1940 spoolsv.exe 4084 spoolsv.exe 212 spoolsv.exe 4428 spoolsv.exe 1740 explorer.exe 3656 spoolsv.exe 2396 spoolsv.exe 3896 spoolsv.exe 5048 spoolsv.exe 3312 explorer.exe 3476 spoolsv.exe 3000 spoolsv.exe 900 spoolsv.exe 2052 spoolsv.exe 640 explorer.exe 2972 spoolsv.exe 2244 spoolsv.exe 2692 spoolsv.exe 2976 spoolsv.exe 4940 spoolsv.exe 5028 explorer.exe 3548 spoolsv.exe 1540 spoolsv.exe 1304 spoolsv.exe 1720 spoolsv.exe 3056 explorer.exe 1828 spoolsv.exe 3328 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 46 IoCs
description pid Process procid_target PID 5044 set thread context of 2040 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 95 PID 3892 set thread context of 3440 3892 explorer.exe 99 PID 4596 set thread context of 4564 4596 spoolsv.exe 127 PID 3044 set thread context of 4356 3044 spoolsv.exe 129 PID 1680 set thread context of 4152 1680 spoolsv.exe 131 PID 4504 set thread context of 4936 4504 spoolsv.exe 132 PID 3808 set thread context of 1940 3808 spoolsv.exe 134 PID 4652 set thread context of 4084 4652 spoolsv.exe 135 PID 3364 set thread context of 4428 3364 spoolsv.exe 137 PID 4988 set thread context of 3656 4988 spoolsv.exe 139 PID 4352 set thread context of 3896 4352 spoolsv.exe 141 PID 3972 set thread context of 5048 3972 spoolsv.exe 142 PID 4656 set thread context of 3476 4656 spoolsv.exe 144 PID 3936 set thread context of 900 3936 spoolsv.exe 146 PID 1556 set thread context of 2052 1556 spoolsv.exe 147 PID 4776 set thread context of 2972 4776 spoolsv.exe 149 PID 3492 set thread context of 2692 3492 spoolsv.exe 151 PID 4916 set thread context of 2976 4916 spoolsv.exe 152 PID 1616 set thread context of 4940 1616 spoolsv.exe 153 PID 5016 set thread context of 3548 5016 spoolsv.exe 155 PID 536 set thread context of 1304 536 spoolsv.exe 157 PID 728 set thread context of 1720 728 spoolsv.exe 158 PID 1608 set thread context of 1828 1608 spoolsv.exe 160 PID 2360 set thread context of 4568 2360 spoolsv.exe 162 PID 804 set thread context of 2408 804 spoolsv.exe 163 PID 1672 set thread context of 936 1672 spoolsv.exe 165 PID 528 set thread context of 4468 528 spoolsv.exe 167 PID 828 set thread context of 4972 828 spoolsv.exe 168 PID 1684 set thread context of 4264 1684 spoolsv.exe 172 PID 220 set thread context of 1500 220 explorer.exe 174 PID 4544 set thread context of 1872 4544 spoolsv.exe 177 PID 2024 set thread context of 832 2024 explorer.exe 179 PID 212 set thread context of 636 212 spoolsv.exe 182 PID 1740 set thread context of 4272 1740 explorer.exe 184 PID 2396 set thread context of 3552 2396 spoolsv.exe 186 PID 3312 set thread context of 4560 3312 explorer.exe 189 PID 3000 set thread context of 2036 3000 spoolsv.exe 191 PID 640 set thread context of 2068 640 explorer.exe 194 PID 2244 set thread context of 912 2244 spoolsv.exe 197 PID 5028 set thread context of 3600 5028 explorer.exe 199 PID 1540 set thread context of 4020 1540 spoolsv.exe 201 PID 3056 set thread context of 2084 3056 explorer.exe 204 PID 3328 set thread context of 4992 3328 spoolsv.exe 206 PID 316 set thread context of 1564 316 explorer.exe 208 PID 4240 set thread context of 3932 4240 spoolsv.exe 209 PID 4548 set thread context of 4676 4548 explorer.exe 210 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 2040 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2040 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 2040 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 4564 spoolsv.exe 4564 spoolsv.exe 4356 spoolsv.exe 4356 spoolsv.exe 4152 spoolsv.exe 4152 spoolsv.exe 4936 spoolsv.exe 4936 spoolsv.exe 1940 spoolsv.exe 1940 spoolsv.exe 4084 spoolsv.exe 4084 spoolsv.exe 4428 spoolsv.exe 4428 spoolsv.exe 3656 spoolsv.exe 3656 spoolsv.exe 3896 spoolsv.exe 3896 spoolsv.exe 5048 spoolsv.exe 5048 spoolsv.exe 3476 spoolsv.exe 3476 spoolsv.exe 900 spoolsv.exe 900 spoolsv.exe 2052 spoolsv.exe 2052 spoolsv.exe 2972 spoolsv.exe 2972 spoolsv.exe 2692 spoolsv.exe 2692 spoolsv.exe 2976 spoolsv.exe 2976 spoolsv.exe 4940 spoolsv.exe 4940 spoolsv.exe 3548 spoolsv.exe 3548 spoolsv.exe 1304 spoolsv.exe 1304 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 1828 spoolsv.exe 1828 spoolsv.exe 4568 spoolsv.exe 4568 spoolsv.exe 2408 spoolsv.exe 2408 spoolsv.exe 936 spoolsv.exe 936 spoolsv.exe 4468 spoolsv.exe 4468 spoolsv.exe 4972 spoolsv.exe 4972 spoolsv.exe 4264 spoolsv.exe 4264 spoolsv.exe 1500 explorer.exe 1500 explorer.exe 1872 spoolsv.exe 1872 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 1628 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 83 PID 5044 wrote to memory of 1628 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 83 PID 5044 wrote to memory of 2040 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 95 PID 5044 wrote to memory of 2040 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 95 PID 5044 wrote to memory of 2040 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 95 PID 5044 wrote to memory of 2040 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 95 PID 5044 wrote to memory of 2040 5044 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 95 PID 2040 wrote to memory of 3892 2040 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 96 PID 2040 wrote to memory of 3892 2040 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 96 PID 2040 wrote to memory of 3892 2040 db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe 96 PID 3892 wrote to memory of 3440 3892 explorer.exe 99 PID 3892 wrote to memory of 3440 3892 explorer.exe 99 PID 3892 wrote to memory of 3440 3892 explorer.exe 99 PID 3892 wrote to memory of 3440 3892 explorer.exe 99 PID 3892 wrote to memory of 3440 3892 explorer.exe 99 PID 3440 wrote to memory of 4596 3440 explorer.exe 100 PID 3440 wrote to memory of 4596 3440 explorer.exe 100 PID 3440 wrote to memory of 4596 3440 explorer.exe 100 PID 3440 wrote to memory of 3044 3440 explorer.exe 101 PID 3440 wrote to memory of 3044 3440 explorer.exe 101 PID 3440 wrote to memory of 3044 3440 explorer.exe 101 PID 3440 wrote to memory of 1680 3440 explorer.exe 102 PID 3440 wrote to memory of 1680 3440 explorer.exe 102 PID 3440 wrote to memory of 1680 3440 explorer.exe 102 PID 3440 wrote to memory of 4504 3440 explorer.exe 103 PID 3440 wrote to memory of 4504 3440 explorer.exe 103 PID 3440 wrote to memory of 4504 3440 explorer.exe 103 PID 3440 wrote to memory of 3808 3440 explorer.exe 104 PID 3440 wrote to memory of 3808 3440 explorer.exe 104 PID 3440 wrote to memory of 3808 3440 explorer.exe 104 PID 3440 wrote to memory of 4652 3440 explorer.exe 105 PID 3440 wrote to memory of 4652 3440 explorer.exe 105 PID 3440 wrote to memory of 4652 3440 explorer.exe 105 PID 3440 wrote to memory of 3364 3440 explorer.exe 106 PID 3440 wrote to memory of 3364 3440 explorer.exe 106 PID 3440 wrote to memory of 3364 3440 explorer.exe 106 PID 3440 wrote to memory of 4988 3440 explorer.exe 107 PID 3440 wrote to memory of 4988 3440 explorer.exe 107 PID 3440 wrote to memory of 4988 3440 explorer.exe 107 PID 3440 wrote to memory of 4352 3440 explorer.exe 108 PID 3440 wrote to memory of 4352 3440 explorer.exe 108 PID 3440 wrote to memory of 4352 3440 explorer.exe 108 PID 3440 wrote to memory of 3972 3440 explorer.exe 109 PID 3440 wrote to memory of 3972 3440 explorer.exe 109 PID 3440 wrote to memory of 3972 3440 explorer.exe 109 PID 3440 wrote to memory of 4656 3440 explorer.exe 110 PID 3440 wrote to memory of 4656 3440 explorer.exe 110 PID 3440 wrote to memory of 4656 3440 explorer.exe 110 PID 3440 wrote to memory of 3936 3440 explorer.exe 111 PID 3440 wrote to memory of 3936 3440 explorer.exe 111 PID 3440 wrote to memory of 3936 3440 explorer.exe 111 PID 3440 wrote to memory of 1556 3440 explorer.exe 112 PID 3440 wrote to memory of 1556 3440 explorer.exe 112 PID 3440 wrote to memory of 1556 3440 explorer.exe 112 PID 3440 wrote to memory of 4776 3440 explorer.exe 113 PID 3440 wrote to memory of 4776 3440 explorer.exe 113 PID 3440 wrote to memory of 4776 3440 explorer.exe 113 PID 3440 wrote to memory of 3492 3440 explorer.exe 114 PID 3440 wrote to memory of 3492 3440 explorer.exe 114 PID 3440 wrote to memory of 3492 3440 explorer.exe 114 PID 3440 wrote to memory of 4916 3440 explorer.exe 115 PID 3440 wrote to memory of 4916 3440 explorer.exe 115 PID 3440 wrote to memory of 4916 3440 explorer.exe 115 PID 3440 wrote to memory of 1616 3440 explorer.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db68c330dce5a2a361233ed80dc3008b_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4564 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:220 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4936 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2024 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:832
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4084
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4428 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1740 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4272
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3656
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5048 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3312 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4560
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3476
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2052 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:640 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2068
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4776 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4940 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5028 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:3600
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3548
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1304
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3056 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2084
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1828
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2360 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4568
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:804 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2408 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:316 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1564
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:936
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:828 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4972 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4548 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4264 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3988 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3024
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1872 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1688 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1716
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:636 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3712 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4672
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3552
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3772
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2036
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1632
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:912
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4892
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4020 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1612
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4992
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1368
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4240 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3932
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1820
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2240
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4376 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:764
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3004
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4432
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4280
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1580 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4372
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3532
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3204
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2732
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1140
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4620
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1152
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:180
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2816
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4308
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4664
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2032
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3752
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4248
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3408
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:624
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5104
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD530fe1a15271da974a7adc8954563ddf5
SHA10046004d1882fc41e7b4fd7a4cfd6bd52f4d2577
SHA25601718664f454c8dcad757dc931b192b533b8853247a08ec4cd2c85935942c07e
SHA51268002c19e76efbddeea692806f30395fe64dcea8359f49696f98c91c44311598f58c942773046a38f3093a52e4d6b02b22da51528cb12087f5a3b183d9dcbb38
-
Filesize
2.2MB
MD5ca652b06153cafa3dab3e05458b0f538
SHA1a74c6c0b838ecb59c959f39ed90ac0877d9e58cd
SHA2567046e514f220c083d22eca91e46004289a0e2b2ddb850c3a80eb862d12c04a43
SHA5124df36b095e49f55e88010e14ebdd238b375af01733993b11da221e74a00aa6b23d0e0d6b9e5abe336f3c6c6c2fa107e5232c5036b749ac954670a7d99273a351