Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 12:08
Behavioral task
behavioral1
Sample
JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe
-
Size
2.2MB
-
MD5
074493a898c2a4d0d0b2c1e41864a942
-
SHA1
1a97417160469d2e11d69d7e7ca9f611274040d8
-
SHA256
1f79da2f9ff1f3c74540724b82ca29d0dba827d09b370b6b61d1c6add90311d5
-
SHA512
6e81698b28e98c85548b1bb02f8fceefd9f430d1c329eddbe9c9368d519921a1cef16bfd9b07527c4afcaec3cb0d624983fc2df323826b89ebf3200cef18bbc3
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWwwg
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral1/memory/1968-35-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1968-36-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1968-65-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1152-76-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1152-658-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3576-1977-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4768-1987-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2032-2000-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3164-2007-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2876-2018-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3576-2073-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4000-2155-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4056-2167-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1920-2267-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3844-2280-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3636-2295-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4332-2304-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1980-2382-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2132-2401-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4748-2409-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4748-2413-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/392-2422-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/392-2425-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1980-2537-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/920-2560-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1376-2572-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1376-2569-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3648-2737-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5056-2758-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5056-2755-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2300-2827-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3648-2881-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/384-2906-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2248-2914-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2248-2917-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4988-2924-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/384-3025-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2548-3056-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/428-3074-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/428-3077-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4036-3162-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2220-3207-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2220-3281-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1524-3469-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/100-3609-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/712-3617-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4140-3628-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/712-3733-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/448-3750-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1152-3755-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1940-3762-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4276-4026-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/740-4036-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4276-4122-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3000-4228-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4296-4238-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3000-4295-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3884-4371-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4144-4516-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1844-4587-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4168-4597-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5272-4713-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5448-4725-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5588-4743-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 4888 explorer.exe 1152 explorer.exe 1164 spoolsv.exe 456 spoolsv.exe 4328 explorer.exe 3696 spoolsv.exe 1512 spoolsv.exe 4228 spoolsv.exe 2192 spoolsv.exe 3388 spoolsv.exe 4688 spoolsv.exe 4620 spoolsv.exe 3004 spoolsv.exe 2616 spoolsv.exe 1160 spoolsv.exe 1200 spoolsv.exe 2488 spoolsv.exe 1520 spoolsv.exe 868 spoolsv.exe 4588 spoolsv.exe 2140 spoolsv.exe 4544 spoolsv.exe 1600 spoolsv.exe 2316 spoolsv.exe 4432 spoolsv.exe 3572 spoolsv.exe 1592 spoolsv.exe 3168 spoolsv.exe 1492 spoolsv.exe 1072 spoolsv.exe 2396 spoolsv.exe 2252 spoolsv.exe 3576 spoolsv.exe 432 explorer.exe 4768 spoolsv.exe 2032 explorer.exe 3164 spoolsv.exe 2876 spoolsv.exe 1920 spoolsv.exe 4600 spoolsv.exe 3508 explorer.exe 4000 spoolsv.exe 4056 spoolsv.exe 1356 spoolsv.exe 3844 spoolsv.exe 2944 explorer.exe 3636 spoolsv.exe 4332 spoolsv.exe 556 spoolsv.exe 1980 spoolsv.exe 3140 explorer.exe 1392 spoolsv.exe 2132 spoolsv.exe 4748 spoolsv.exe 392 spoolsv.exe 3720 spoolsv.exe 920 spoolsv.exe 3056 explorer.exe 1376 spoolsv.exe 3860 spoolsv.exe 3648 spoolsv.exe 4880 explorer.exe 4572 spoolsv.exe 5056 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 40 IoCs
description pid Process procid_target PID 2276 set thread context of 1968 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 99 PID 4888 set thread context of 1152 4888 explorer.exe 109 PID 1164 set thread context of 3576 1164 spoolsv.exe 145 PID 456 set thread context of 4768 456 spoolsv.exe 147 PID 4328 set thread context of 2032 4328 explorer.exe 148 PID 3696 set thread context of 3164 3696 spoolsv.exe 149 PID 1512 set thread context of 2876 1512 spoolsv.exe 150 PID 4228 set thread context of 1920 4228 spoolsv.exe 152 PID 2192 set thread context of 4000 2192 spoolsv.exe 154 PID 3388 set thread context of 4056 3388 spoolsv.exe 155 PID 4688 set thread context of 3844 4688 spoolsv.exe 157 PID 4620 set thread context of 3636 4620 spoolsv.exe 159 PID 3004 set thread context of 4332 3004 spoolsv.exe 160 PID 2616 set thread context of 1980 2616 spoolsv.exe 162 PID 1160 set thread context of 1392 1160 spoolsv.exe 164 PID 1200 set thread context of 2132 1200 spoolsv.exe 165 PID 2488 set thread context of 4748 2488 spoolsv.exe 166 PID 1520 set thread context of 392 1520 spoolsv.exe 167 PID 868 set thread context of 920 868 spoolsv.exe 169 PID 4588 set thread context of 1376 4588 spoolsv.exe 171 PID 2140 set thread context of 3648 2140 spoolsv.exe 173 PID 4544 set thread context of 4572 4544 spoolsv.exe 175 PID 1600 set thread context of 5056 1600 spoolsv.exe 176 PID 2316 set thread context of 2300 2316 spoolsv.exe 178 PID 4432 set thread context of 384 4432 spoolsv.exe 179 PID 3572 set thread context of 2248 3572 spoolsv.exe 181 PID 1592 set thread context of 4988 1592 spoolsv.exe 182 PID 3168 set thread context of 2548 3168 spoolsv.exe 184 PID 1492 set thread context of 428 1492 spoolsv.exe 186 PID 1072 set thread context of 4036 1072 spoolsv.exe 188 PID 2396 set thread context of 2220 2396 spoolsv.exe 189 PID 432 set thread context of 1524 432 explorer.exe 194 PID 2252 set thread context of 100 2252 spoolsv.exe 196 PID 4600 set thread context of 712 4600 spoolsv.exe 199 PID 3508 set thread context of 4140 3508 explorer.exe 201 PID 1356 set thread context of 448 1356 spoolsv.exe 203 PID 2944 set thread context of 1940 2944 explorer.exe 205 PID 556 set thread context of 4276 556 spoolsv.exe 209 PID 3140 set thread context of 740 3140 explorer.exe 211 PID 3720 set thread context of 3000 3720 spoolsv.exe 214 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 1968 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1968 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 1968 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 1152 explorer.exe 3576 spoolsv.exe 3576 spoolsv.exe 4768 spoolsv.exe 4768 spoolsv.exe 2032 explorer.exe 2032 explorer.exe 3164 spoolsv.exe 3164 spoolsv.exe 2876 spoolsv.exe 2876 spoolsv.exe 1920 spoolsv.exe 1920 spoolsv.exe 4000 spoolsv.exe 4000 spoolsv.exe 4056 spoolsv.exe 4056 spoolsv.exe 3844 spoolsv.exe 3844 spoolsv.exe 3636 spoolsv.exe 3636 spoolsv.exe 4332 spoolsv.exe 4332 spoolsv.exe 1980 spoolsv.exe 1980 spoolsv.exe 1392 spoolsv.exe 1392 spoolsv.exe 2132 spoolsv.exe 2132 spoolsv.exe 4748 spoolsv.exe 4748 spoolsv.exe 392 spoolsv.exe 392 spoolsv.exe 920 spoolsv.exe 920 spoolsv.exe 1376 spoolsv.exe 1376 spoolsv.exe 3648 spoolsv.exe 3648 spoolsv.exe 4572 spoolsv.exe 4572 spoolsv.exe 5056 spoolsv.exe 5056 spoolsv.exe 2300 spoolsv.exe 2300 spoolsv.exe 384 spoolsv.exe 384 spoolsv.exe 2248 spoolsv.exe 2248 spoolsv.exe 4988 spoolsv.exe 4988 spoolsv.exe 2548 spoolsv.exe 2548 spoolsv.exe 428 spoolsv.exe 428 spoolsv.exe 4036 spoolsv.exe 4036 spoolsv.exe 2220 spoolsv.exe 2220 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 4796 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 85 PID 2276 wrote to memory of 4796 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 85 PID 2276 wrote to memory of 1968 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 99 PID 2276 wrote to memory of 1968 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 99 PID 2276 wrote to memory of 1968 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 99 PID 2276 wrote to memory of 1968 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 99 PID 2276 wrote to memory of 1968 2276 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 99 PID 1968 wrote to memory of 4888 1968 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 100 PID 1968 wrote to memory of 4888 1968 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 100 PID 1968 wrote to memory of 4888 1968 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 100 PID 4888 wrote to memory of 1152 4888 explorer.exe 109 PID 4888 wrote to memory of 1152 4888 explorer.exe 109 PID 4888 wrote to memory of 1152 4888 explorer.exe 109 PID 4888 wrote to memory of 1152 4888 explorer.exe 109 PID 4888 wrote to memory of 1152 4888 explorer.exe 109 PID 1152 wrote to memory of 1164 1152 explorer.exe 110 PID 1152 wrote to memory of 1164 1152 explorer.exe 110 PID 1152 wrote to memory of 1164 1152 explorer.exe 110 PID 1152 wrote to memory of 456 1152 explorer.exe 115 PID 1152 wrote to memory of 456 1152 explorer.exe 115 PID 1152 wrote to memory of 456 1152 explorer.exe 115 PID 2336 wrote to memory of 4328 2336 cmd.exe 116 PID 2336 wrote to memory of 4328 2336 cmd.exe 116 PID 2336 wrote to memory of 4328 2336 cmd.exe 116 PID 1152 wrote to memory of 3696 1152 explorer.exe 117 PID 1152 wrote to memory of 3696 1152 explorer.exe 117 PID 1152 wrote to memory of 3696 1152 explorer.exe 117 PID 1152 wrote to memory of 1512 1152 explorer.exe 118 PID 1152 wrote to memory of 1512 1152 explorer.exe 118 PID 1152 wrote to memory of 1512 1152 explorer.exe 118 PID 1152 wrote to memory of 4228 1152 explorer.exe 119 PID 1152 wrote to memory of 4228 1152 explorer.exe 119 PID 1152 wrote to memory of 4228 1152 explorer.exe 119 PID 1152 wrote to memory of 2192 1152 explorer.exe 120 PID 1152 wrote to memory of 2192 1152 explorer.exe 120 PID 1152 wrote to memory of 2192 1152 explorer.exe 120 PID 1152 wrote to memory of 3388 1152 explorer.exe 121 PID 1152 wrote to memory of 3388 1152 explorer.exe 121 PID 1152 wrote to memory of 3388 1152 explorer.exe 121 PID 1152 wrote to memory of 4688 1152 explorer.exe 122 PID 1152 wrote to memory of 4688 1152 explorer.exe 122 PID 1152 wrote to memory of 4688 1152 explorer.exe 122 PID 1152 wrote to memory of 4620 1152 explorer.exe 123 PID 1152 wrote to memory of 4620 1152 explorer.exe 123 PID 1152 wrote to memory of 4620 1152 explorer.exe 123 PID 1152 wrote to memory of 3004 1152 explorer.exe 124 PID 1152 wrote to memory of 3004 1152 explorer.exe 124 PID 1152 wrote to memory of 3004 1152 explorer.exe 124 PID 1152 wrote to memory of 2616 1152 explorer.exe 125 PID 1152 wrote to memory of 2616 1152 explorer.exe 125 PID 1152 wrote to memory of 2616 1152 explorer.exe 125 PID 1152 wrote to memory of 1160 1152 explorer.exe 126 PID 1152 wrote to memory of 1160 1152 explorer.exe 126 PID 1152 wrote to memory of 1160 1152 explorer.exe 126 PID 1152 wrote to memory of 1200 1152 explorer.exe 127 PID 1152 wrote to memory of 1200 1152 explorer.exe 127 PID 1152 wrote to memory of 1200 1152 explorer.exe 127 PID 1152 wrote to memory of 2488 1152 explorer.exe 129 PID 1152 wrote to memory of 2488 1152 explorer.exe 129 PID 1152 wrote to memory of 2488 1152 explorer.exe 129 PID 1152 wrote to memory of 1520 1152 explorer.exe 130 PID 1152 wrote to memory of 1520 1152 explorer.exe 130 PID 1152 wrote to memory of 1520 1152 explorer.exe 130 PID 1152 wrote to memory of 868 1152 explorer.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1164 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3576 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:432 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4768
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3164
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1920 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3508 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4140
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4056
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3844 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1940
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4620 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1980 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3140 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:740
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2132
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4748
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1520 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:392
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:868 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:920 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3056 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4296
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3648 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4880 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4144
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1600 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5056
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:384 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:720 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4168
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:4444 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5448
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:428
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1072 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4036
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2220 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:736 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5588
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2252 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:100
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4792 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4996
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4600 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:712
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5316
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:448 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1840 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5900
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4276 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2284
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2600
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3860 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3884
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1900
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1844
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3928
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5272
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5332
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5648
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6012
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3604 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5548
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5596
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1108
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2916
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2372
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5860
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3188 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4012
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3772
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:924
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4028
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:636
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1536
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2016
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1116
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1448
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5976
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5496
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5796
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5308
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5772
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4328 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:4984
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5e4395245496187a66c975354c7402537
SHA133acc01703b4b9487d465830ddd5e1ead9d040c9
SHA2563c4b04485ffa87f1b0af30b77fab25b6cedae847e412cfb8a4e243087f9c726d
SHA512db722f041205bd39c63cd21f2300e0adad10cfb135aff0d6703aa898e66af568ca533f9833fc2d2ef02ee71369229431d2a3b8f96def23e3210648eebdd5fce6
-
Filesize
2.2MB
MD55a2aa75f2d381f91a9f7195f475e1f2e
SHA148a8aa44a755423145b445686d4cda0e66eebe34
SHA25685312d32a02eabfaeda602ffe4d94d61f94f6abfc29a5f9bf89f89a8c64a2531
SHA512f3245dc4ac266f55b89ce88fa08e20cb3ca93b7759d88b149287a72671ba39a798ce24deb151a98cc585af5a5566e340f7441d65ab7e5b2e05413cb5e54cfcbb