Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 03:17
Behavioral task
behavioral1
Sample
JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe
-
Size
2.2MB
-
MD5
072f9fd4055b7edbf63808259f11abc7
-
SHA1
42245d5500e6068fd3ac4f12c74d665158c07496
-
SHA256
ee919008ba32a50ed1917f498a8692ca77ec934175fb6a7914ff82f3c8d9db72
-
SHA512
c0a921fbe0827f430135038a5761e5cedfb17f594e880957c987d0172efc0413186667b7eb5371d3f6d26d3bf9296797356bc9e39998bdc301f1d4ecd80b392b
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ9:0UzeyQMS4DqodCnoe+iitjWwwh
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral1/memory/2784-34-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2784-35-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2784-74-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4392-85-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4392-691-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4624-2037-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2488-2047-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4376-2058-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4948-2067-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/852-2077-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2608-2088-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5212-2195-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4624-2244-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5636-2293-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5720-2303-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5788-2311-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5168-2479-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5292-2488-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5320-2499-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/536-2510-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5436-2518-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5436-2521-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5608-2528-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5608-2532-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5168-2655-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/6136-2672-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3840-2681-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3756-2749-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3756-2705-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/6136-2823-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5468-2842-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5560-2849-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5560-2851-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5076-2863-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5076-2859-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2620-2870-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2620-2874-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5468-3001-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4328-3018-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5252-3035-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5404-3148-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5404-3151-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1364-3186-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4200-3192-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/220-3478-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3632-3488-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/220-3621-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5224-3714-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5892-3948-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3196-3957-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5892-4044-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4392-4124-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2536-4132-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4284-4142-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5376-4410-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2432-4420-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5376-4478-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/6132-4570-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2140-4581-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/6132-4701-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5776-4722-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3520-4733-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5124-4820-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5776-4894-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 1876 explorer.exe 4392 explorer.exe 4416 spoolsv.exe 1100 spoolsv.exe 948 explorer.exe 1412 spoolsv.exe 312 spoolsv.exe 3584 spoolsv.exe 1616 spoolsv.exe 3644 spoolsv.exe 5108 spoolsv.exe 4880 spoolsv.exe 3680 spoolsv.exe 1324 spoolsv.exe 4060 spoolsv.exe 228 spoolsv.exe 3988 spoolsv.exe 1464 spoolsv.exe 664 spoolsv.exe 3972 spoolsv.exe 3628 spoolsv.exe 1152 spoolsv.exe 2344 spoolsv.exe 1476 spoolsv.exe 844 spoolsv.exe 4264 spoolsv.exe 3104 spoolsv.exe 2300 spoolsv.exe 2864 spoolsv.exe 1612 spoolsv.exe 2908 spoolsv.exe 3924 spoolsv.exe 2512 spoolsv.exe 4624 spoolsv.exe 4928 explorer.exe 2488 spoolsv.exe 4376 explorer.exe 4948 spoolsv.exe 852 spoolsv.exe 2608 spoolsv.exe 5152 spoolsv.exe 5212 spoolsv.exe 5636 spoolsv.exe 5684 explorer.exe 5720 spoolsv.exe 5788 spoolsv.exe 6140 spoolsv.exe 5168 spoolsv.exe 5260 explorer.exe 5292 spoolsv.exe 5320 spoolsv.exe 536 spoolsv.exe 5436 spoolsv.exe 5608 spoolsv.exe 5824 spoolsv.exe 6136 spoolsv.exe 1112 explorer.exe 3840 spoolsv.exe 3756 spoolsv.exe 5300 spoolsv.exe 5468 spoolsv.exe 5540 explorer.exe 5560 spoolsv.exe 5076 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
description pid Process procid_target PID 2532 set thread context of 2784 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 101 PID 1876 set thread context of 4392 1876 explorer.exe 108 PID 4416 set thread context of 4624 4416 spoolsv.exe 145 PID 1100 set thread context of 2488 1100 spoolsv.exe 147 PID 948 set thread context of 4376 948 explorer.exe 148 PID 1412 set thread context of 4948 1412 spoolsv.exe 149 PID 312 set thread context of 852 312 spoolsv.exe 150 PID 3584 set thread context of 2608 3584 spoolsv.exe 151 PID 1616 set thread context of 5212 1616 spoolsv.exe 153 PID 3644 set thread context of 5636 3644 spoolsv.exe 154 PID 5108 set thread context of 5720 5108 spoolsv.exe 156 PID 4880 set thread context of 5788 4880 spoolsv.exe 157 PID 3680 set thread context of 5168 3680 spoolsv.exe 159 PID 1324 set thread context of 5292 1324 spoolsv.exe 161 PID 4060 set thread context of 5320 4060 spoolsv.exe 162 PID 228 set thread context of 536 228 spoolsv.exe 163 PID 3988 set thread context of 5436 3988 spoolsv.exe 164 PID 1464 set thread context of 5608 1464 spoolsv.exe 165 PID 664 set thread context of 6136 664 spoolsv.exe 167 PID 3972 set thread context of 3840 3972 spoolsv.exe 169 PID 3628 set thread context of 3756 3628 spoolsv.exe 170 PID 1152 set thread context of 5468 1152 spoolsv.exe 172 PID 2344 set thread context of 5560 2344 spoolsv.exe 174 PID 1476 set thread context of 5076 1476 spoolsv.exe 175 PID 844 set thread context of 2620 844 spoolsv.exe 176 PID 4264 set thread context of 4328 4264 spoolsv.exe 178 PID 3104 set thread context of 2880 3104 spoolsv.exe 180 PID 2300 set thread context of 5252 2300 spoolsv.exe 181 PID 2864 set thread context of 1656 2864 spoolsv.exe 182 PID 1612 set thread context of 5404 1612 spoolsv.exe 184 PID 2908 set thread context of 1364 2908 spoolsv.exe 185 PID 3924 set thread context of 4200 3924 spoolsv.exe 187 PID 2512 set thread context of 220 2512 spoolsv.exe 192 PID 4928 set thread context of 3632 4928 explorer.exe 194 PID 5152 set thread context of 2268 5152 spoolsv.exe 197 PID 5684 set thread context of 5224 5684 explorer.exe 199 PID 6140 set thread context of 5892 6140 spoolsv.exe 203 PID 5260 set thread context of 3196 5260 explorer.exe 205 PID 5824 set thread context of 2536 5824 spoolsv.exe 208 PID 1112 set thread context of 4284 1112 explorer.exe 210 PID 5300 set thread context of 5376 5300 spoolsv.exe 214 PID 5540 set thread context of 2432 5540 explorer.exe 216 PID 6076 set thread context of 6132 6076 spoolsv.exe 219 PID 3664 set thread context of 2140 3664 explorer.exe 221 PID 4560 set thread context of 5776 4560 spoolsv.exe 223 PID 3060 set thread context of 3520 3060 explorer.exe 225 PID 5900 set thread context of 5124 5900 spoolsv.exe 227 PID 100 set thread context of 3600 100 spoolsv.exe 228 PID 5172 set thread context of 2448 5172 spoolsv.exe 230 PID 3552 set thread context of 4240 3552 spoolsv.exe 233 PID 3068 set thread context of 5640 3068 explorer.exe 235 PID 5740 set thread context of 5188 5740 spoolsv.exe 236 PID 3100 set thread context of 2560 3100 spoolsv.exe 239 PID 4700 set thread context of 4848 4700 explorer.exe 241 PID 4812 set thread context of 6080 4812 spoolsv.exe 242 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2784 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 2784 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4392 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2784 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 2784 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4624 spoolsv.exe 4624 spoolsv.exe 2488 spoolsv.exe 2488 spoolsv.exe 4376 explorer.exe 4376 explorer.exe 4948 spoolsv.exe 4948 spoolsv.exe 852 spoolsv.exe 852 spoolsv.exe 2608 spoolsv.exe 2608 spoolsv.exe 5212 spoolsv.exe 5212 spoolsv.exe 5636 spoolsv.exe 5636 spoolsv.exe 5720 spoolsv.exe 5720 spoolsv.exe 5788 spoolsv.exe 5788 spoolsv.exe 5168 spoolsv.exe 5168 spoolsv.exe 5292 spoolsv.exe 5292 spoolsv.exe 5320 spoolsv.exe 5320 spoolsv.exe 536 spoolsv.exe 536 spoolsv.exe 5436 spoolsv.exe 5436 spoolsv.exe 5608 spoolsv.exe 5608 spoolsv.exe 6136 spoolsv.exe 6136 spoolsv.exe 3840 spoolsv.exe 3840 spoolsv.exe 3756 spoolsv.exe 3756 spoolsv.exe 5468 spoolsv.exe 5468 spoolsv.exe 5560 spoolsv.exe 5560 spoolsv.exe 5076 spoolsv.exe 5076 spoolsv.exe 2620 spoolsv.exe 2620 spoolsv.exe 4328 spoolsv.exe 4328 spoolsv.exe 2880 spoolsv.exe 2880 spoolsv.exe 5252 spoolsv.exe 5252 spoolsv.exe 1656 spoolsv.exe 1656 spoolsv.exe 5404 spoolsv.exe 5404 spoolsv.exe 1364 spoolsv.exe 1364 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 316 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 86 PID 2532 wrote to memory of 316 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 86 PID 2532 wrote to memory of 2784 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 101 PID 2532 wrote to memory of 2784 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 101 PID 2532 wrote to memory of 2784 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 101 PID 2532 wrote to memory of 2784 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 101 PID 2532 wrote to memory of 2784 2532 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 101 PID 2784 wrote to memory of 1876 2784 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 102 PID 2784 wrote to memory of 1876 2784 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 102 PID 2784 wrote to memory of 1876 2784 JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe 102 PID 1876 wrote to memory of 4392 1876 explorer.exe 108 PID 1876 wrote to memory of 4392 1876 explorer.exe 108 PID 1876 wrote to memory of 4392 1876 explorer.exe 108 PID 1876 wrote to memory of 4392 1876 explorer.exe 108 PID 1876 wrote to memory of 4392 1876 explorer.exe 108 PID 4392 wrote to memory of 4416 4392 explorer.exe 109 PID 4392 wrote to memory of 4416 4392 explorer.exe 109 PID 4392 wrote to memory of 4416 4392 explorer.exe 109 PID 4392 wrote to memory of 1100 4392 explorer.exe 114 PID 4392 wrote to memory of 1100 4392 explorer.exe 114 PID 4392 wrote to memory of 1100 4392 explorer.exe 114 PID 1800 wrote to memory of 948 1800 cmd.exe 115 PID 1800 wrote to memory of 948 1800 cmd.exe 115 PID 1800 wrote to memory of 948 1800 cmd.exe 115 PID 4392 wrote to memory of 1412 4392 explorer.exe 116 PID 4392 wrote to memory of 1412 4392 explorer.exe 116 PID 4392 wrote to memory of 1412 4392 explorer.exe 116 PID 4392 wrote to memory of 312 4392 explorer.exe 117 PID 4392 wrote to memory of 312 4392 explorer.exe 117 PID 4392 wrote to memory of 312 4392 explorer.exe 117 PID 4392 wrote to memory of 3584 4392 explorer.exe 118 PID 4392 wrote to memory of 3584 4392 explorer.exe 118 PID 4392 wrote to memory of 3584 4392 explorer.exe 118 PID 4392 wrote to memory of 1616 4392 explorer.exe 119 PID 4392 wrote to memory of 1616 4392 explorer.exe 119 PID 4392 wrote to memory of 1616 4392 explorer.exe 119 PID 4392 wrote to memory of 3644 4392 explorer.exe 120 PID 4392 wrote to memory of 3644 4392 explorer.exe 120 PID 4392 wrote to memory of 3644 4392 explorer.exe 120 PID 4392 wrote to memory of 5108 4392 explorer.exe 121 PID 4392 wrote to memory of 5108 4392 explorer.exe 121 PID 4392 wrote to memory of 5108 4392 explorer.exe 121 PID 4392 wrote to memory of 4880 4392 explorer.exe 122 PID 4392 wrote to memory of 4880 4392 explorer.exe 122 PID 4392 wrote to memory of 4880 4392 explorer.exe 122 PID 4392 wrote to memory of 3680 4392 explorer.exe 123 PID 4392 wrote to memory of 3680 4392 explorer.exe 123 PID 4392 wrote to memory of 3680 4392 explorer.exe 123 PID 4392 wrote to memory of 1324 4392 explorer.exe 124 PID 4392 wrote to memory of 1324 4392 explorer.exe 124 PID 4392 wrote to memory of 1324 4392 explorer.exe 124 PID 4392 wrote to memory of 4060 4392 explorer.exe 126 PID 4392 wrote to memory of 4060 4392 explorer.exe 126 PID 4392 wrote to memory of 4060 4392 explorer.exe 126 PID 4392 wrote to memory of 228 4392 explorer.exe 127 PID 4392 wrote to memory of 228 4392 explorer.exe 127 PID 4392 wrote to memory of 228 4392 explorer.exe 127 PID 4392 wrote to memory of 3988 4392 explorer.exe 128 PID 4392 wrote to memory of 3988 4392 explorer.exe 128 PID 4392 wrote to memory of 3988 4392 explorer.exe 128 PID 4392 wrote to memory of 1464 4392 explorer.exe 129 PID 4392 wrote to memory of 1464 4392 explorer.exe 129 PID 4392 wrote to memory of 1464 4392 explorer.exe 129 PID 4392 wrote to memory of 664 4392 explorer.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4416 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4624 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4928 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:3632
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1412 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5636 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5684 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:5224
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4880 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5788
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5168 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5260 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3196
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5292
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5320
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5436
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6136 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1112 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4284
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3840
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5468 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5540 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2432
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5560
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:844 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4328 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3664 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2140
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3104 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2300 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5252
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1364 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3060 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3520
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4200
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:220 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3068 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:5640
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2268
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4700 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4848
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5892
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:6068
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2536
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5520
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5300 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5376 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1584
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:6132 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5236
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5776
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1236
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5900 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5124
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3600
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2448
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3280
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:3552 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4240
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5908
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:5740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5188
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:4204
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6020
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4188
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5336
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5612
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1692
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3288
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5976
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3192
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3532
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3960
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:6048
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4596
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:5896
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5352
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:948 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:2524
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD522bbd24bf5dbf6fbe1785c126134a6ab
SHA1cc41969c674963d581540d33593dd1401e02062d
SHA2566214eae132aad948a288ff9c2e54c66d65496b24f6153d65dcf8383ac5b27b35
SHA51290b9c8a8826af9b4d49bdec4a9cf86f52b8113011297928eeb253031050cf15ea78b1c6d252d661cf37d7b15eb779fb3c47a0e3852f2fca873c8281461b9f0f1
-
Filesize
2.2MB
MD5b0bc8b9e7e9323a836ee1a251ef528c4
SHA1f16f1efba9ea381fc3361dbfc895180c314481db
SHA256be5f65bb19d4a6667981dc890c6a1ef40a62b2a4de6598a40e030ca2b6566356
SHA51235d03bd3bc187016674c75a5cf0dbd78eb90de29837a275b13025d65af76353ff61e89ab6c81f508a28324fde73521b867d4026f3211d68298c9cabb10cb10a0