Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 05:30
Behavioral task
behavioral1
Sample
JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe
-
Size
2.2MB
-
MD5
07360e5e4a86e69b56627c7a048313f4
-
SHA1
b4aefcc05c5e7c32bd1a2086d608474a5439a6d3
-
SHA256
6cb01373c18e6bfc6ab0a17bb25bf309797ae1ebd6f15635bf44a85633d6ac66
-
SHA512
db6fd79caabbf2675756e3bb860b14466698cbe84fe08493d0ae7943093b1e4e601271be46974c6efb5653f9d599c47824d874502a0244dd9919cfbe783db66f
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZE:0UzeyQMS4DqodCnoe+iitjWwwg
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral1/memory/2228-49-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2228-50-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2228-84-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3664-95-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3664-674-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4560-1992-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2320-2001-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3672-2080-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1300-2091-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1788-2101-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2680-2108-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2680-2112-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4560-2165-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2512-2194-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4568-2248-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4928-2259-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4244-2269-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4244-2272-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1348-2382-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2512-2401-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1324-2414-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1392-2423-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4364-2435-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4584-2442-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4584-2447-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3144-2600-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1140-2617-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1140-2620-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1472-2631-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2152-2710-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3144-2774-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4420-2796-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2776-2814-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2328-2825-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4404-2973-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3492-2983-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3684-2993-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/432-3088-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/432-3219-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3260-3412-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1540-3494-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3824-3606-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3780-3675-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3900-3686-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/692-3844-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2532-3906-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3664-3907-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3236-3995-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3812-4071-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3236-4128-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2824-4277-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1960-4287-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2824-4346-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1992-4363-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1504-4446-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4404-4458-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2984-4480-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2984-4475-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3768-4492-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3768-4497-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1316-4499-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3856-4592-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4520-4769-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2692-4787-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 4536 explorer.exe 3664 explorer.exe 1648 spoolsv.exe 1644 spoolsv.exe 3076 explorer.exe 4000 spoolsv.exe 2052 spoolsv.exe 1916 spoolsv.exe 4048 spoolsv.exe 1460 spoolsv.exe 1692 spoolsv.exe 3420 spoolsv.exe 4084 spoolsv.exe 2556 spoolsv.exe 3512 spoolsv.exe 4036 spoolsv.exe 4756 spoolsv.exe 2248 spoolsv.exe 3396 spoolsv.exe 116 spoolsv.exe 5080 spoolsv.exe 4456 spoolsv.exe 2484 spoolsv.exe 4296 spoolsv.exe 4116 spoolsv.exe 1940 spoolsv.exe 3044 spoolsv.exe 2068 spoolsv.exe 460 spoolsv.exe 5068 spoolsv.exe 3324 spoolsv.exe 1500 spoolsv.exe 4560 spoolsv.exe 3424 explorer.exe 2320 spoolsv.exe 3316 spoolsv.exe 3672 explorer.exe 1300 spoolsv.exe 1788 spoolsv.exe 2680 spoolsv.exe 2512 spoolsv.exe 2388 explorer.exe 2324 spoolsv.exe 4568 spoolsv.exe 4928 spoolsv.exe 4244 spoolsv.exe 2572 spoolsv.exe 1348 spoolsv.exe 1324 spoolsv.exe 2088 explorer.exe 1392 spoolsv.exe 4364 spoolsv.exe 4584 spoolsv.exe 3132 spoolsv.exe 3144 spoolsv.exe 532 explorer.exe 1508 spoolsv.exe 1140 spoolsv.exe 1472 spoolsv.exe 4656 spoolsv.exe 2152 spoolsv.exe 4420 spoolsv.exe 3660 explorer.exe 3772 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 54 IoCs
description pid Process procid_target PID 2088 set thread context of 2228 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 99 PID 4536 set thread context of 3664 4536 explorer.exe 109 PID 1648 set thread context of 4560 1648 spoolsv.exe 145 PID 1644 set thread context of 2320 1644 spoolsv.exe 147 PID 3076 set thread context of 3672 3076 explorer.exe 149 PID 4000 set thread context of 1300 4000 spoolsv.exe 150 PID 2052 set thread context of 1788 2052 spoolsv.exe 151 PID 1916 set thread context of 2680 1916 spoolsv.exe 152 PID 4048 set thread context of 2512 4048 spoolsv.exe 153 PID 1460 set thread context of 4568 1460 spoolsv.exe 156 PID 1692 set thread context of 4928 1692 spoolsv.exe 157 PID 3420 set thread context of 4244 3420 spoolsv.exe 158 PID 4084 set thread context of 1348 4084 spoolsv.exe 160 PID 2556 set thread context of 1324 2556 spoolsv.exe 161 PID 3512 set thread context of 1392 3512 spoolsv.exe 163 PID 4036 set thread context of 4364 4036 spoolsv.exe 164 PID 4756 set thread context of 4584 4756 spoolsv.exe 165 PID 2248 set thread context of 3144 2248 spoolsv.exe 167 PID 3396 set thread context of 1508 3396 spoolsv.exe 169 PID 116 set thread context of 1140 116 spoolsv.exe 170 PID 5080 set thread context of 1472 5080 spoolsv.exe 171 PID 4456 set thread context of 2152 4456 spoolsv.exe 173 PID 2484 set thread context of 4420 2484 spoolsv.exe 174 PID 4296 set thread context of 3772 4296 spoolsv.exe 176 PID 4116 set thread context of 2776 4116 spoolsv.exe 177 PID 1940 set thread context of 2328 1940 spoolsv.exe 178 PID 3044 set thread context of 4404 3044 spoolsv.exe 180 PID 2068 set thread context of 3492 2068 spoolsv.exe 182 PID 460 set thread context of 3684 460 spoolsv.exe 183 PID 5068 set thread context of 432 5068 spoolsv.exe 184 PID 3324 set thread context of 2108 3324 spoolsv.exe 187 PID 1500 set thread context of 3260 1500 spoolsv.exe 190 PID 3424 set thread context of 1540 3424 explorer.exe 195 PID 3316 set thread context of 3824 3316 spoolsv.exe 196 PID 2324 set thread context of 3780 2324 spoolsv.exe 200 PID 2388 set thread context of 3900 2388 explorer.exe 202 PID 2572 set thread context of 2532 2572 spoolsv.exe 205 PID 2088 set thread context of 692 2088 explorer.exe 207 PID 3132 set thread context of 3236 3132 spoolsv.exe 210 PID 532 set thread context of 3812 532 explorer.exe 213 PID 4656 set thread context of 2824 4656 spoolsv.exe 216 PID 3660 set thread context of 1960 3660 explorer.exe 218 PID 2316 set thread context of 1992 2316 explorer.exe 220 PID 2928 set thread context of 3856 2928 spoolsv.exe 222 PID 2992 set thread context of 1504 2992 spoolsv.exe 224 PID 4184 set thread context of 4404 4184 explorer.exe 225 PID 4900 set thread context of 1044 4900 spoolsv.exe 226 PID 2180 set thread context of 2984 2180 spoolsv.exe 227 PID 3372 set thread context of 1316 3372 explorer.exe 228 PID 3880 set thread context of 3768 3880 spoolsv.exe 229 PID 1380 set thread context of 4520 1380 spoolsv.exe 231 PID 2344 set thread context of 2692 2344 spoolsv.exe 234 PID 4632 set thread context of 1172 4632 explorer.exe 236 PID 1456 set thread context of 1596 1456 spoolsv.exe 237 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 2228 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3664 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2228 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 2228 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 3664 explorer.exe 4560 spoolsv.exe 4560 spoolsv.exe 2320 spoolsv.exe 2320 spoolsv.exe 3672 explorer.exe 3672 explorer.exe 1300 spoolsv.exe 1300 spoolsv.exe 1788 spoolsv.exe 1788 spoolsv.exe 2680 spoolsv.exe 2680 spoolsv.exe 2512 spoolsv.exe 2512 spoolsv.exe 4568 spoolsv.exe 4568 spoolsv.exe 4928 spoolsv.exe 4928 spoolsv.exe 4244 spoolsv.exe 4244 spoolsv.exe 1348 spoolsv.exe 1348 spoolsv.exe 1392 spoolsv.exe 1392 spoolsv.exe 4364 spoolsv.exe 4364 spoolsv.exe 4584 spoolsv.exe 4584 spoolsv.exe 3144 spoolsv.exe 3144 spoolsv.exe 1508 spoolsv.exe 1508 spoolsv.exe 1140 spoolsv.exe 1140 spoolsv.exe 1472 spoolsv.exe 1472 spoolsv.exe 2152 spoolsv.exe 2152 spoolsv.exe 4420 spoolsv.exe 4420 spoolsv.exe 3772 spoolsv.exe 3772 spoolsv.exe 2776 spoolsv.exe 2776 spoolsv.exe 2328 spoolsv.exe 2328 spoolsv.exe 4404 spoolsv.exe 4404 spoolsv.exe 3492 spoolsv.exe 3492 spoolsv.exe 3684 spoolsv.exe 3684 spoolsv.exe 432 spoolsv.exe 432 spoolsv.exe 2108 spoolsv.exe 2108 spoolsv.exe 3260 spoolsv.exe 3260 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 3952 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 85 PID 2088 wrote to memory of 3952 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 85 PID 2088 wrote to memory of 2228 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 99 PID 2088 wrote to memory of 2228 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 99 PID 2088 wrote to memory of 2228 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 99 PID 2088 wrote to memory of 2228 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 99 PID 2088 wrote to memory of 2228 2088 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 99 PID 2228 wrote to memory of 4536 2228 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 100 PID 2228 wrote to memory of 4536 2228 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 100 PID 2228 wrote to memory of 4536 2228 JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe 100 PID 4536 wrote to memory of 3664 4536 explorer.exe 109 PID 4536 wrote to memory of 3664 4536 explorer.exe 109 PID 4536 wrote to memory of 3664 4536 explorer.exe 109 PID 4536 wrote to memory of 3664 4536 explorer.exe 109 PID 4536 wrote to memory of 3664 4536 explorer.exe 109 PID 3664 wrote to memory of 1648 3664 explorer.exe 110 PID 3664 wrote to memory of 1648 3664 explorer.exe 110 PID 3664 wrote to memory of 1648 3664 explorer.exe 110 PID 3664 wrote to memory of 1644 3664 explorer.exe 115 PID 3664 wrote to memory of 1644 3664 explorer.exe 115 PID 3664 wrote to memory of 1644 3664 explorer.exe 115 PID 1924 wrote to memory of 3076 1924 cmd.exe 116 PID 1924 wrote to memory of 3076 1924 cmd.exe 116 PID 1924 wrote to memory of 3076 1924 cmd.exe 116 PID 3664 wrote to memory of 4000 3664 explorer.exe 117 PID 3664 wrote to memory of 4000 3664 explorer.exe 117 PID 3664 wrote to memory of 4000 3664 explorer.exe 117 PID 3664 wrote to memory of 2052 3664 explorer.exe 118 PID 3664 wrote to memory of 2052 3664 explorer.exe 118 PID 3664 wrote to memory of 2052 3664 explorer.exe 118 PID 3664 wrote to memory of 1916 3664 explorer.exe 119 PID 3664 wrote to memory of 1916 3664 explorer.exe 119 PID 3664 wrote to memory of 1916 3664 explorer.exe 119 PID 3664 wrote to memory of 4048 3664 explorer.exe 120 PID 3664 wrote to memory of 4048 3664 explorer.exe 120 PID 3664 wrote to memory of 4048 3664 explorer.exe 120 PID 3664 wrote to memory of 1460 3664 explorer.exe 121 PID 3664 wrote to memory of 1460 3664 explorer.exe 121 PID 3664 wrote to memory of 1460 3664 explorer.exe 121 PID 3664 wrote to memory of 1692 3664 explorer.exe 122 PID 3664 wrote to memory of 1692 3664 explorer.exe 122 PID 3664 wrote to memory of 1692 3664 explorer.exe 122 PID 3664 wrote to memory of 3420 3664 explorer.exe 123 PID 3664 wrote to memory of 3420 3664 explorer.exe 123 PID 3664 wrote to memory of 3420 3664 explorer.exe 123 PID 3664 wrote to memory of 4084 3664 explorer.exe 124 PID 3664 wrote to memory of 4084 3664 explorer.exe 124 PID 3664 wrote to memory of 4084 3664 explorer.exe 124 PID 3664 wrote to memory of 2556 3664 explorer.exe 125 PID 3664 wrote to memory of 2556 3664 explorer.exe 125 PID 3664 wrote to memory of 2556 3664 explorer.exe 125 PID 3664 wrote to memory of 3512 3664 explorer.exe 126 PID 3664 wrote to memory of 3512 3664 explorer.exe 126 PID 3664 wrote to memory of 3512 3664 explorer.exe 126 PID 3664 wrote to memory of 4036 3664 explorer.exe 128 PID 3664 wrote to memory of 4036 3664 explorer.exe 128 PID 3664 wrote to memory of 4036 3664 explorer.exe 128 PID 3664 wrote to memory of 4756 3664 explorer.exe 129 PID 3664 wrote to memory of 4756 3664 explorer.exe 129 PID 3664 wrote to memory of 4756 3664 explorer.exe 129 PID 3664 wrote to memory of 2248 3664 explorer.exe 130 PID 3664 wrote to memory of 2248 3664 explorer.exe 130 PID 3664 wrote to memory of 2248 3664 explorer.exe 130 PID 3664 wrote to memory of 3396 3664 explorer.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07360e5e4a86e69b56627c7a048313f4.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4560 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3424 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1540
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1300
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2052 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2388 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4568
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1692 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4928
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3420 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4244
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1348
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
PID:1324 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2088 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:692
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4364
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3144 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:532 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:3812
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1508
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1140
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3660 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4404 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2316 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1992
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3492
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:432 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4184 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4404
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2108
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3260 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:3372 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1316
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3824 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4632 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1172
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3780 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3508 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4152
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2532
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:1260
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3132 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3236 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3908
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2824 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4808
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2928 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3856
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3628
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4900 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1044
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3880 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3768
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4520 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1320
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2692 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4200
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4372
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3524
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2672
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1568
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1436
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:740
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4972
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4340
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:868
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1328
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3940
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3196
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5064
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1664
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3076 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:3992
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5aaf8f043126afd27938da88f418b8143
SHA114394660962edd64511320d52b8753a544378216
SHA2560b0c35a2ce09f1930239b7188de9c1f121ccaf1842a4d3406498cea4b1a7f04b
SHA512140354e411a7ba18175c6b4581e8cffd99a6dc5dd0795407e2d07a0746acf15a8076f3063fd56cb9e826f24723c08e24b237aef220989ff3c44c91fdd84402c6
-
Filesize
2.2MB
MD5c1dfc12d5860634b82b234da2b204b9f
SHA1ddac099c482126219363570b6c9795d6234b4d2e
SHA256980e819ede12522f930829066a74694a278dc715dce956cfb40c22d5674ee2b8
SHA512fe739547c3c34849b4dd4bed44ce7772ee731f199239dd870a1d4d1aa9c4dcb7d1f1fb1e8fa11da04978f49f2e1a6d71c92117731e6d96cb4d2821949980ee79