Analysis
-
max time kernel
142s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2024 09:14
Behavioral task
behavioral1
Sample
f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
f1b789a7a8ef785b57357e53b97894a2
-
SHA1
3b2e7d5c121d29f178c21d2d0465003f7cd01a65
-
SHA256
4d5ee321d223c7e685bfafdd3e2a92dbc38cc86e1099efd8a40c87303fff8c54
-
SHA512
7cda733e57cd1d0155bdf73ba88310d1134c5749065ecc424102cf1d47931165b8dc8fe806cb89d488e9d1162936325acc4e6e85e06375b556f64e4e8ae6c067
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZg:0UzeyQMS4DqodCnoe+iitjWwwM
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 3444 explorer.exe 3948 explorer.exe 2064 spoolsv.exe 2368 spoolsv.exe 1896 spoolsv.exe 2760 spoolsv.exe 4080 spoolsv.exe 4524 spoolsv.exe 2268 spoolsv.exe 4556 spoolsv.exe 4512 spoolsv.exe 532 spoolsv.exe 3680 spoolsv.exe 4284 spoolsv.exe 1860 spoolsv.exe 4376 spoolsv.exe 3524 spoolsv.exe 1108 spoolsv.exe 1080 spoolsv.exe 3944 spoolsv.exe 4292 spoolsv.exe 3560 spoolsv.exe 2628 spoolsv.exe 4772 spoolsv.exe 3232 spoolsv.exe 1156 spoolsv.exe 3488 spoolsv.exe 4560 spoolsv.exe 4276 spoolsv.exe 4272 spoolsv.exe 3908 spoolsv.exe 2468 explorer.exe 2116 spoolsv.exe 1632 spoolsv.exe 4900 spoolsv.exe 4024 spoolsv.exe 4632 spoolsv.exe 2056 spoolsv.exe 3880 spoolsv.exe 5000 explorer.exe 1344 spoolsv.exe 3676 spoolsv.exe 1556 spoolsv.exe 3372 spoolsv.exe 4380 spoolsv.exe 4532 explorer.exe 4904 spoolsv.exe 4796 spoolsv.exe 1688 spoolsv.exe 3140 spoolsv.exe 368 explorer.exe 3088 spoolsv.exe 4776 spoolsv.exe 1116 spoolsv.exe 3368 spoolsv.exe 4088 spoolsv.exe 2184 spoolsv.exe 4804 explorer.exe 3304 spoolsv.exe 3696 spoolsv.exe 1100 spoolsv.exe 3616 spoolsv.exe 2856 spoolsv.exe 4840 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 49 IoCs
description pid Process procid_target PID 4796 set thread context of 2376 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 91 PID 3444 set thread context of 3948 3444 explorer.exe 95 PID 2064 set thread context of 3908 2064 spoolsv.exe 124 PID 2368 set thread context of 2116 2368 spoolsv.exe 126 PID 1896 set thread context of 4900 1896 spoolsv.exe 128 PID 2760 set thread context of 4024 2760 spoolsv.exe 129 PID 4080 set thread context of 4632 4080 spoolsv.exe 130 PID 4524 set thread context of 3880 4524 spoolsv.exe 132 PID 2268 set thread context of 1344 2268 spoolsv.exe 134 PID 4556 set thread context of 3676 4556 spoolsv.exe 135 PID 4512 set thread context of 1556 4512 spoolsv.exe 136 PID 532 set thread context of 4380 532 spoolsv.exe 138 PID 3680 set thread context of 4904 3680 spoolsv.exe 140 PID 4284 set thread context of 1688 4284 spoolsv.exe 142 PID 1860 set thread context of 3140 1860 spoolsv.exe 143 PID 4376 set thread context of 4776 4376 spoolsv.exe 146 PID 3524 set thread context of 1116 3524 spoolsv.exe 147 PID 1108 set thread context of 3368 1108 spoolsv.exe 148 PID 1080 set thread context of 2184 1080 spoolsv.exe 150 PID 3944 set thread context of 3304 3944 spoolsv.exe 152 PID 4292 set thread context of 3696 4292 spoolsv.exe 153 PID 3560 set thread context of 1100 3560 spoolsv.exe 154 PID 2628 set thread context of 2856 2628 spoolsv.exe 156 PID 4772 set thread context of 876 4772 spoolsv.exe 158 PID 3232 set thread context of 5096 3232 spoolsv.exe 159 PID 1156 set thread context of 912 1156 spoolsv.exe 160 PID 3488 set thread context of 5100 3488 spoolsv.exe 163 PID 4560 set thread context of 2328 4560 spoolsv.exe 164 PID 4276 set thread context of 4576 4276 spoolsv.exe 166 PID 4272 set thread context of 3100 4272 spoolsv.exe 169 PID 2468 set thread context of 1960 2468 explorer.exe 173 PID 1632 set thread context of 1368 1632 spoolsv.exe 174 PID 2056 set thread context of 4228 2056 spoolsv.exe 178 PID 5000 set thread context of 1628 5000 explorer.exe 180 PID 3372 set thread context of 4920 3372 spoolsv.exe 182 PID 4532 set thread context of 3104 4532 explorer.exe 185 PID 4796 set thread context of 4760 4796 spoolsv.exe 186 PID 368 set thread context of 540 368 explorer.exe 190 PID 3088 set thread context of 2660 3088 spoolsv.exe 191 PID 4088 set thread context of 4264 4088 spoolsv.exe 195 PID 4804 set thread context of 1884 4804 explorer.exe 197 PID 4840 set thread context of 1012 4840 explorer.exe 200 PID 3616 set thread context of 632 3616 spoolsv.exe 201 PID 1568 set thread context of 2008 1568 spoolsv.exe 204 PID 2340 set thread context of 2412 2340 explorer.exe 206 PID 3000 set thread context of 1152 3000 spoolsv.exe 207 PID 1332 set thread context of 4472 1332 explorer.exe 208 PID 5024 set thread context of 2888 5024 spoolsv.exe 209 PID 3164 set thread context of 396 3164 explorer.exe 210 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 2376 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3948 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2376 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 2376 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3948 explorer.exe 3908 spoolsv.exe 3908 spoolsv.exe 2116 spoolsv.exe 2116 spoolsv.exe 4900 spoolsv.exe 4900 spoolsv.exe 4024 spoolsv.exe 4024 spoolsv.exe 4632 spoolsv.exe 4632 spoolsv.exe 3880 spoolsv.exe 3880 spoolsv.exe 1344 spoolsv.exe 1344 spoolsv.exe 3676 spoolsv.exe 3676 spoolsv.exe 1556 spoolsv.exe 1556 spoolsv.exe 4380 spoolsv.exe 4380 spoolsv.exe 4904 spoolsv.exe 4904 spoolsv.exe 1688 spoolsv.exe 1688 spoolsv.exe 3140 spoolsv.exe 3140 spoolsv.exe 4776 spoolsv.exe 4776 spoolsv.exe 1116 spoolsv.exe 1116 spoolsv.exe 3368 spoolsv.exe 3368 spoolsv.exe 2184 spoolsv.exe 2184 spoolsv.exe 3304 spoolsv.exe 3304 spoolsv.exe 3696 spoolsv.exe 3696 spoolsv.exe 1100 spoolsv.exe 1100 spoolsv.exe 2856 spoolsv.exe 2856 spoolsv.exe 876 spoolsv.exe 876 spoolsv.exe 5096 spoolsv.exe 5096 spoolsv.exe 912 spoolsv.exe 912 spoolsv.exe 5100 spoolsv.exe 5100 spoolsv.exe 2328 spoolsv.exe 2328 spoolsv.exe 4576 spoolsv.exe 4576 spoolsv.exe 3100 spoolsv.exe 3100 spoolsv.exe 1960 explorer.exe 1960 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 5040 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 82 PID 4796 wrote to memory of 5040 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 82 PID 4796 wrote to memory of 2376 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 91 PID 4796 wrote to memory of 2376 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 91 PID 4796 wrote to memory of 2376 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 91 PID 4796 wrote to memory of 2376 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 91 PID 4796 wrote to memory of 2376 4796 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 91 PID 2376 wrote to memory of 3444 2376 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 92 PID 2376 wrote to memory of 3444 2376 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 92 PID 2376 wrote to memory of 3444 2376 f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe 92 PID 3444 wrote to memory of 3948 3444 explorer.exe 95 PID 3444 wrote to memory of 3948 3444 explorer.exe 95 PID 3444 wrote to memory of 3948 3444 explorer.exe 95 PID 3444 wrote to memory of 3948 3444 explorer.exe 95 PID 3444 wrote to memory of 3948 3444 explorer.exe 95 PID 3948 wrote to memory of 2064 3948 explorer.exe 96 PID 3948 wrote to memory of 2064 3948 explorer.exe 96 PID 3948 wrote to memory of 2064 3948 explorer.exe 96 PID 3948 wrote to memory of 2368 3948 explorer.exe 97 PID 3948 wrote to memory of 2368 3948 explorer.exe 97 PID 3948 wrote to memory of 2368 3948 explorer.exe 97 PID 3948 wrote to memory of 1896 3948 explorer.exe 98 PID 3948 wrote to memory of 1896 3948 explorer.exe 98 PID 3948 wrote to memory of 1896 3948 explorer.exe 98 PID 3948 wrote to memory of 2760 3948 explorer.exe 99 PID 3948 wrote to memory of 2760 3948 explorer.exe 99 PID 3948 wrote to memory of 2760 3948 explorer.exe 99 PID 3948 wrote to memory of 4080 3948 explorer.exe 100 PID 3948 wrote to memory of 4080 3948 explorer.exe 100 PID 3948 wrote to memory of 4080 3948 explorer.exe 100 PID 3948 wrote to memory of 4524 3948 explorer.exe 101 PID 3948 wrote to memory of 4524 3948 explorer.exe 101 PID 3948 wrote to memory of 4524 3948 explorer.exe 101 PID 3948 wrote to memory of 2268 3948 explorer.exe 102 PID 3948 wrote to memory of 2268 3948 explorer.exe 102 PID 3948 wrote to memory of 2268 3948 explorer.exe 102 PID 3948 wrote to memory of 4556 3948 explorer.exe 103 PID 3948 wrote to memory of 4556 3948 explorer.exe 103 PID 3948 wrote to memory of 4556 3948 explorer.exe 103 PID 3948 wrote to memory of 4512 3948 explorer.exe 104 PID 3948 wrote to memory of 4512 3948 explorer.exe 104 PID 3948 wrote to memory of 4512 3948 explorer.exe 104 PID 3948 wrote to memory of 532 3948 explorer.exe 105 PID 3948 wrote to memory of 532 3948 explorer.exe 105 PID 3948 wrote to memory of 532 3948 explorer.exe 105 PID 3948 wrote to memory of 3680 3948 explorer.exe 106 PID 3948 wrote to memory of 3680 3948 explorer.exe 106 PID 3948 wrote to memory of 3680 3948 explorer.exe 106 PID 3948 wrote to memory of 4284 3948 explorer.exe 107 PID 3948 wrote to memory of 4284 3948 explorer.exe 107 PID 3948 wrote to memory of 4284 3948 explorer.exe 107 PID 3948 wrote to memory of 1860 3948 explorer.exe 108 PID 3948 wrote to memory of 1860 3948 explorer.exe 108 PID 3948 wrote to memory of 1860 3948 explorer.exe 108 PID 3948 wrote to memory of 4376 3948 explorer.exe 109 PID 3948 wrote to memory of 4376 3948 explorer.exe 109 PID 3948 wrote to memory of 4376 3948 explorer.exe 109 PID 3948 wrote to memory of 3524 3948 explorer.exe 110 PID 3948 wrote to memory of 3524 3948 explorer.exe 110 PID 3948 wrote to memory of 3524 3948 explorer.exe 110 PID 3948 wrote to memory of 1108 3948 explorer.exe 111 PID 3948 wrote to memory of 1108 3948 explorer.exe 111 PID 3948 wrote to memory of 1108 3948 explorer.exe 111 PID 3948 wrote to memory of 1080 3948 explorer.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5040
-
-
C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1b789a7a8ef785b57357e53b97894a2_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3908 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2468 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1960
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4024
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4632
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4524 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3880 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5000 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1628
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:532 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4380 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4532 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:3104
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3140 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:368 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:540
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4376 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4776
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3524 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2184 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4804 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1884
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3304
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2856 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4840 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1012
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5096
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1156 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:912 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4276 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4576 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1332 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4472
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4272 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3100 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3164 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:396
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1368
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5076 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4624
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2056 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4228 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2648
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3372 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4920 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3388 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1196
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4796 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4760
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3148
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2660 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4428
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4264 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1072
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:632
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2640
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2008
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1516
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:5024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4520 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4528
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4176
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4252
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3276
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3916
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4720
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3124
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4540
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:180
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3112
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4432
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3228
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3196
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4888
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2788
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3740
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request31.243.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
45.56.20.217.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
31.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD504b43629997538a51c289322038e690d
SHA1152ae312b72b9a1d51f64c86fffb2ce54e486840
SHA2563ad06e02294a3a88d9df4f48ea671cb6222b8e782d65cb6a66f40d1251d4bdf3
SHA512517453239316203fab5b44265b6cdefbb2774caea6f6c013f19f9bb1b2b4cd9766f2547428fd50bdae18a75f0cb7552e60ecefb01205d243056a0703b83a775d
-
Filesize
2.2MB
MD5b2d95dbfe26a8f99572b1659649c36fe
SHA1a2b451ed804401f3fa8cd9e57d4addc9579f423f
SHA25657cbfda3e171b0faa182cbdce37a8f520c9b09b2b62ef6017d90fd494e7664bd
SHA512e4d02aff62ad16bf1c10de5ab26285774c188edf10224a364746c55e536c3b51ea1de2b48766e71b237fd92bcf637e6c8844b4cdd54a0156d847bfc76af562b6