Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 06:19
Behavioral task
behavioral1
Sample
JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe
-
Size
2.2MB
-
MD5
07381c89b9f54919cf7fbee97c351788
-
SHA1
6be2cb08d30fabaabdc016cb0b955758d7ed463d
-
SHA256
37e87fedfacab74263939fee80ba0b229f5cdcbb91f4aa609896283c786a0fe3
-
SHA512
86e74a33e102bc8045a1c74f698bd2361e7f20fadeb571941bc1304c4b7da19de0566618f0f7b799548ca88376e73ae388be3cb4dc343d98301f3f364175fcec
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZV:0UzeyQMS4DqodCnoe+iitjWwwx
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral1/memory/4988-34-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4988-35-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4988-74-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4464-85-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4464-660-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2416-1886-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4744-1894-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3192-1908-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4104-1990-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4208-1996-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4208-2001-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2848-2059-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3540-2068-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3540-2073-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1240-2155-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1240-2160-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1544-2169-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2848-2210-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4748-2238-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1096-2246-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1096-2250-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2864-2332-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5064-2341-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5064-2345-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4748-2418-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3064-2437-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3600-2445-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/376-2456-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3828-2524-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1848-2536-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4524-2555-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1452-2701-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5072-2709-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/412-2720-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3864-2790-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3864-2799-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1452-2851-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1988-2873-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4572-2902-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3588-2964-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2244-3119-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2512-3353-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2628-3540-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4532-3559-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/656-3638-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/656-3755-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5056-3838-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4464-4049-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4380-4177-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1008-4267-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2252-4386-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1120-4464-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2292-4544-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3524-4617-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2768-4689-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2012-4698-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1432-4709-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3524-4757-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2760-4828-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5360-4853-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5416-4865-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2760-5003-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2452-5102-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4488-5141-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 548 explorer.exe 4464 explorer.exe 3280 spoolsv.exe 3820 spoolsv.exe 4972 explorer.exe 4540 spoolsv.exe 4212 spoolsv.exe 2388 spoolsv.exe 1040 spoolsv.exe 3148 spoolsv.exe 224 spoolsv.exe 4720 spoolsv.exe 1948 spoolsv.exe 2492 spoolsv.exe 1328 spoolsv.exe 3248 spoolsv.exe 3948 spoolsv.exe 5020 spoolsv.exe 3692 spoolsv.exe 816 spoolsv.exe 4996 spoolsv.exe 232 spoolsv.exe 2152 spoolsv.exe 464 spoolsv.exe 1940 spoolsv.exe 2740 spoolsv.exe 4020 spoolsv.exe 2524 spoolsv.exe 2288 spoolsv.exe 3068 spoolsv.exe 4124 spoolsv.exe 1548 spoolsv.exe 2416 spoolsv.exe 1776 explorer.exe 4744 spoolsv.exe 3192 explorer.exe 2576 spoolsv.exe 4104 spoolsv.exe 4208 spoolsv.exe 2848 spoolsv.exe 4164 explorer.exe 3540 spoolsv.exe 748 spoolsv.exe 1240 spoolsv.exe 1544 spoolsv.exe 4748 spoolsv.exe 3480 explorer.exe 1096 spoolsv.exe 3924 spoolsv.exe 2864 spoolsv.exe 5064 spoolsv.exe 3064 spoolsv.exe 1584 explorer.exe 3600 spoolsv.exe 376 spoolsv.exe 3472 spoolsv.exe 3828 spoolsv.exe 1848 spoolsv.exe 4736 spoolsv.exe 4524 spoolsv.exe 2800 spoolsv.exe 1452 spoolsv.exe 2872 explorer.exe 5072 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 56 IoCs
description pid Process procid_target PID 1888 set thread context of 4988 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 102 PID 548 set thread context of 4464 548 explorer.exe 112 PID 3280 set thread context of 2416 3280 spoolsv.exe 148 PID 3820 set thread context of 4744 3820 spoolsv.exe 150 PID 4972 set thread context of 3192 4972 explorer.exe 151 PID 4540 set thread context of 4104 4540 spoolsv.exe 153 PID 4212 set thread context of 4208 4212 spoolsv.exe 154 PID 2388 set thread context of 2848 2388 spoolsv.exe 155 PID 1040 set thread context of 3540 1040 spoolsv.exe 157 PID 3148 set thread context of 1240 3148 spoolsv.exe 159 PID 224 set thread context of 1544 224 spoolsv.exe 160 PID 4720 set thread context of 4748 4720 spoolsv.exe 161 PID 1948 set thread context of 1096 1948 spoolsv.exe 163 PID 2492 set thread context of 2864 2492 spoolsv.exe 165 PID 1328 set thread context of 5064 1328 spoolsv.exe 166 PID 3248 set thread context of 3064 3248 spoolsv.exe 167 PID 3948 set thread context of 3600 3948 spoolsv.exe 169 PID 5020 set thread context of 376 5020 spoolsv.exe 170 PID 3692 set thread context of 3828 3692 spoolsv.exe 172 PID 816 set thread context of 1848 816 spoolsv.exe 173 PID 4996 set thread context of 4736 4996 spoolsv.exe 174 PID 232 set thread context of 4524 232 spoolsv.exe 175 PID 2152 set thread context of 1452 2152 spoolsv.exe 177 PID 464 set thread context of 5072 464 spoolsv.exe 179 PID 1940 set thread context of 412 1940 spoolsv.exe 180 PID 2740 set thread context of 3864 2740 spoolsv.exe 181 PID 4020 set thread context of 1988 4020 spoolsv.exe 183 PID 2524 set thread context of 1996 2524 spoolsv.exe 185 PID 2288 set thread context of 4572 2288 spoolsv.exe 186 PID 3068 set thread context of 3588 3068 spoolsv.exe 188 PID 4124 set thread context of 2244 4124 spoolsv.exe 189 PID 1548 set thread context of 2920 1548 spoolsv.exe 193 PID 1776 set thread context of 2512 1776 explorer.exe 196 PID 2576 set thread context of 2628 2576 spoolsv.exe 198 PID 4164 set thread context of 4532 4164 explorer.exe 201 PID 748 set thread context of 656 748 spoolsv.exe 203 PID 3480 set thread context of 5056 3480 explorer.exe 207 PID 3924 set thread context of 4380 3924 spoolsv.exe 211 PID 1584 set thread context of 1008 1584 explorer.exe 215 PID 3472 set thread context of 2252 3472 spoolsv.exe 216 PID 2800 set thread context of 1120 2800 spoolsv.exe 220 PID 2872 set thread context of 2292 2872 explorer.exe 223 PID 5092 set thread context of 3524 5092 spoolsv.exe 225 PID 396 set thread context of 2768 396 explorer.exe 228 PID 5048 set thread context of 2012 5048 spoolsv.exe 229 PID 4152 set thread context of 1432 4152 explorer.exe 230 PID 2684 set thread context of 2760 2684 spoolsv.exe 231 PID 4184 set thread context of 5360 4184 spoolsv.exe 234 PID 2284 set thread context of 5416 2284 explorer.exe 235 PID 3812 set thread context of 4488 3812 spoolsv.exe 237 PID 5104 set thread context of 2452 5104 spoolsv.exe 240 PID 5112 set thread context of 5532 5112 explorer.exe 241 PID 1320 set thread context of 5128 1320 spoolsv.exe 243 PID 2856 set thread context of 6052 2856 spoolsv.exe 245 PID 3180 set thread context of 6124 3180 explorer.exe 246 PID 4256 set thread context of 1556 4256 spoolsv.exe 247 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4988 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 4988 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4464 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4988 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 4988 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 4464 explorer.exe 2416 spoolsv.exe 2416 spoolsv.exe 4744 spoolsv.exe 4744 spoolsv.exe 3192 explorer.exe 3192 explorer.exe 4104 spoolsv.exe 4104 spoolsv.exe 4208 spoolsv.exe 4208 spoolsv.exe 2848 spoolsv.exe 2848 spoolsv.exe 3540 spoolsv.exe 3540 spoolsv.exe 1240 spoolsv.exe 1240 spoolsv.exe 1544 spoolsv.exe 1544 spoolsv.exe 4748 spoolsv.exe 4748 spoolsv.exe 1096 spoolsv.exe 1096 spoolsv.exe 2864 spoolsv.exe 2864 spoolsv.exe 5064 spoolsv.exe 5064 spoolsv.exe 3064 spoolsv.exe 3064 spoolsv.exe 3600 spoolsv.exe 3600 spoolsv.exe 376 spoolsv.exe 376 spoolsv.exe 3828 spoolsv.exe 3828 spoolsv.exe 1848 spoolsv.exe 1848 spoolsv.exe 4736 spoolsv.exe 4736 spoolsv.exe 4524 spoolsv.exe 4524 spoolsv.exe 1452 spoolsv.exe 1452 spoolsv.exe 5072 spoolsv.exe 5072 spoolsv.exe 412 spoolsv.exe 412 spoolsv.exe 3864 spoolsv.exe 3864 spoolsv.exe 1988 spoolsv.exe 1988 spoolsv.exe 1996 spoolsv.exe 1996 spoolsv.exe 4572 spoolsv.exe 4572 spoolsv.exe 3588 spoolsv.exe 3588 spoolsv.exe 2244 spoolsv.exe 2244 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 3324 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 88 PID 1888 wrote to memory of 3324 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 88 PID 1888 wrote to memory of 4988 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 102 PID 1888 wrote to memory of 4988 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 102 PID 1888 wrote to memory of 4988 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 102 PID 1888 wrote to memory of 4988 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 102 PID 1888 wrote to memory of 4988 1888 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 102 PID 4988 wrote to memory of 548 4988 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 103 PID 4988 wrote to memory of 548 4988 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 103 PID 4988 wrote to memory of 548 4988 JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe 103 PID 548 wrote to memory of 4464 548 explorer.exe 112 PID 548 wrote to memory of 4464 548 explorer.exe 112 PID 548 wrote to memory of 4464 548 explorer.exe 112 PID 548 wrote to memory of 4464 548 explorer.exe 112 PID 548 wrote to memory of 4464 548 explorer.exe 112 PID 4464 wrote to memory of 3280 4464 explorer.exe 113 PID 4464 wrote to memory of 3280 4464 explorer.exe 113 PID 4464 wrote to memory of 3280 4464 explorer.exe 113 PID 4464 wrote to memory of 3820 4464 explorer.exe 118 PID 4464 wrote to memory of 3820 4464 explorer.exe 118 PID 4464 wrote to memory of 3820 4464 explorer.exe 118 PID 3560 wrote to memory of 4972 3560 cmd.exe 119 PID 3560 wrote to memory of 4972 3560 cmd.exe 119 PID 3560 wrote to memory of 4972 3560 cmd.exe 119 PID 4464 wrote to memory of 4540 4464 explorer.exe 120 PID 4464 wrote to memory of 4540 4464 explorer.exe 120 PID 4464 wrote to memory of 4540 4464 explorer.exe 120 PID 4464 wrote to memory of 4212 4464 explorer.exe 121 PID 4464 wrote to memory of 4212 4464 explorer.exe 121 PID 4464 wrote to memory of 4212 4464 explorer.exe 121 PID 4464 wrote to memory of 2388 4464 explorer.exe 122 PID 4464 wrote to memory of 2388 4464 explorer.exe 122 PID 4464 wrote to memory of 2388 4464 explorer.exe 122 PID 4464 wrote to memory of 1040 4464 explorer.exe 123 PID 4464 wrote to memory of 1040 4464 explorer.exe 123 PID 4464 wrote to memory of 1040 4464 explorer.exe 123 PID 4464 wrote to memory of 3148 4464 explorer.exe 124 PID 4464 wrote to memory of 3148 4464 explorer.exe 124 PID 4464 wrote to memory of 3148 4464 explorer.exe 124 PID 4464 wrote to memory of 224 4464 explorer.exe 125 PID 4464 wrote to memory of 224 4464 explorer.exe 125 PID 4464 wrote to memory of 224 4464 explorer.exe 125 PID 4464 wrote to memory of 4720 4464 explorer.exe 126 PID 4464 wrote to memory of 4720 4464 explorer.exe 126 PID 4464 wrote to memory of 4720 4464 explorer.exe 126 PID 4464 wrote to memory of 1948 4464 explorer.exe 127 PID 4464 wrote to memory of 1948 4464 explorer.exe 127 PID 4464 wrote to memory of 1948 4464 explorer.exe 127 PID 4464 wrote to memory of 2492 4464 explorer.exe 128 PID 4464 wrote to memory of 2492 4464 explorer.exe 128 PID 4464 wrote to memory of 2492 4464 explorer.exe 128 PID 4464 wrote to memory of 1328 4464 explorer.exe 129 PID 4464 wrote to memory of 1328 4464 explorer.exe 129 PID 4464 wrote to memory of 1328 4464 explorer.exe 129 PID 4464 wrote to memory of 3248 4464 explorer.exe 130 PID 4464 wrote to memory of 3248 4464 explorer.exe 130 PID 4464 wrote to memory of 3248 4464 explorer.exe 130 PID 4464 wrote to memory of 3948 4464 explorer.exe 131 PID 4464 wrote to memory of 3948 4464 explorer.exe 131 PID 4464 wrote to memory of 3948 4464 explorer.exe 131 PID 4464 wrote to memory of 5020 4464 explorer.exe 132 PID 4464 wrote to memory of 5020 4464 explorer.exe 132 PID 4464 wrote to memory of 5020 4464 explorer.exe 132 PID 4464 wrote to memory of 3692 4464 explorer.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07381c89b9f54919cf7fbee97c351788.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3280 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2416 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1776 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3820 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4744
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4104
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2848 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4164 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4532
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3540
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4748 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3480 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5056
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1948 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5064
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1584 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1008
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3948 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3600
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:376
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3692 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3828
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4996 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4524
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1452 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2872 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:412
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3864
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1988 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:396 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2768
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2524 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2288 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4124 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2244 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4152 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1432
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2920
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5416
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2628 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:5112 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:5532
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:748 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:656 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3180 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:6124
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4380 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1828
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2252
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4604
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1120 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2788
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3524 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2644
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2760
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5260
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5360
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4488 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1708
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5104 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2452
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1320 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5128 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:5976
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:2856 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:6052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4796 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4880
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4692
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:412
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:3552
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1624
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4004
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:3984
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2400
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2176
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5220
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5760
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:452
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6020
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5328
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4972 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:4528
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD513417e424377a42acc54c634b36e1c6e
SHA1d70489f8eb95524cde5f14a4220f64962f8d6b36
SHA2569e03e4a56fa9aff8d1752fe75f4f90984a9b2001546954884c7b688ab3170974
SHA5127da73b7891f1b5d9cc9858272215d1cc1febd040cbb7eb1af9341a973b394afc7219a82159ee0cf081d83aa90529472cfaa2f2e30036baa3ec1e77bc839b7541
-
Filesize
2.2MB
MD515208f4ac597408744defc5869b5a67a
SHA15e76ea860bad169bc72acd5145d7c13f542dbb60
SHA2565fe2d0db788b93c69b1254015211ae63034028136cea229e490fc0e6fc44046f
SHA51250c4949388a375e53a0a2ca1f2925cf36fff2086efc984f0073dac260d3b770fa62b26adba30274725f928e2c1bd8baabd2b4f13ae808ed03bb7cc9d16531cc2