Analysis
-
max time kernel
130s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/05/2025, 12:08
Behavioral task
behavioral1
Sample
JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe
-
Size
2.2MB
-
MD5
074493a898c2a4d0d0b2c1e41864a942
-
SHA1
1a97417160469d2e11d69d7e7ca9f611274040d8
-
SHA256
1f79da2f9ff1f3c74540724b82ca29d0dba827d09b370b6b61d1c6add90311d5
-
SHA512
6e81698b28e98c85548b1bb02f8fceefd9f430d1c329eddbe9c9368d519921a1cef16bfd9b07527c4afcaec3cb0d624983fc2df323826b89ebf3200cef18bbc3
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWwwg
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral2/memory/5072-39-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5072-40-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5072-58-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4128-94-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4128-599-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4452-1258-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/3720-1267-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1136-1280-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4856-1289-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/3916-1302-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5480-1313-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/468-1323-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5976-1342-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/952-1362-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5092-1388-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/3876-1398-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1984-1417-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2552-1428-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4452-1448-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4984-1474-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/3500-1527-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4984-1552-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/232-1573-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1292-1618-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1292-1622-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/232-1640-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5132-1667-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4796-1710-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2420-1723-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2420-1720-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5132-1772-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/6040-1816-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4596-1824-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5932-1851-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5932-1854-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2776-1896-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/904-1911-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/6012-1984-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/6136-1989-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5248-2029-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1604-2389-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1604-2442-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5160-2547-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5748-2610-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4128-2622-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5648-2643-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5648-2657-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1432-2660-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/4636-2686-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2484-2737-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1612-2817-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1552-2854-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2956-2961-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5656-2971-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5228-3084-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/864-3193-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5236-3203-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/6140-3213-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5824-3225-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/1048-3245-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2632-3281-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/3948-3324-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/5560-3377-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral2/memory/2632-3385-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe -
Executes dropped EXE 64 IoCs
pid Process 5092 explorer.exe 4128 explorer.exe 6060 spoolsv.exe 2984 spoolsv.exe 5488 explorer.exe 5584 spoolsv.exe 2800 spoolsv.exe 3148 spoolsv.exe 2708 spoolsv.exe 5528 spoolsv.exe 1584 spoolsv.exe 2712 spoolsv.exe 3424 spoolsv.exe 4296 spoolsv.exe 2460 spoolsv.exe 5904 spoolsv.exe 4064 spoolsv.exe 4364 spoolsv.exe 5124 spoolsv.exe 1240 spoolsv.exe 3852 spoolsv.exe 5680 spoolsv.exe 4764 spoolsv.exe 5148 spoolsv.exe 4572 spoolsv.exe 5868 spoolsv.exe 2700 spoolsv.exe 4728 spoolsv.exe 4548 spoolsv.exe 4776 spoolsv.exe 784 spoolsv.exe 5960 spoolsv.exe 764 spoolsv.exe 2868 spoolsv.exe 1756 spoolsv.exe 4452 spoolsv.exe 5512 explorer.exe 3720 spoolsv.exe 1136 explorer.exe 4856 spoolsv.exe 3916 spoolsv.exe 5480 spoolsv.exe 468 spoolsv.exe 5976 spoolsv.exe 952 spoolsv.exe 6068 spoolsv.exe 5092 spoolsv.exe 3876 spoolsv.exe 4176 spoolsv.exe 1984 spoolsv.exe 2552 spoolsv.exe 4984 spoolsv.exe 1376 explorer.exe 3692 spoolsv.exe 1248 spoolsv.exe 3500 spoolsv.exe 232 spoolsv.exe 5540 explorer.exe 5192 spoolsv.exe 1292 spoolsv.exe 5132 spoolsv.exe 3748 explorer.exe 5496 spoolsv.exe 4796 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 44 IoCs
description pid Process procid_target PID 5244 set thread context of 5072 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 81 PID 5092 set thread context of 4128 5092 explorer.exe 83 PID 6060 set thread context of 4452 6060 spoolsv.exe 121 PID 2984 set thread context of 3720 2984 spoolsv.exe 123 PID 5488 set thread context of 1136 5488 explorer.exe 124 PID 5584 set thread context of 4856 5584 spoolsv.exe 125 PID 2800 set thread context of 3916 2800 spoolsv.exe 126 PID 3148 set thread context of 5480 3148 spoolsv.exe 127 PID 2708 set thread context of 468 2708 spoolsv.exe 128 PID 5528 set thread context of 5976 5528 spoolsv.exe 129 PID 1584 set thread context of 952 1584 spoolsv.exe 130 PID 2712 set thread context of 5092 2712 spoolsv.exe 132 PID 3424 set thread context of 3876 3424 spoolsv.exe 133 PID 4296 set thread context of 4176 4296 spoolsv.exe 134 PID 2460 set thread context of 1984 2460 spoolsv.exe 135 PID 5904 set thread context of 2552 5904 spoolsv.exe 136 PID 4064 set thread context of 4984 4064 spoolsv.exe 137 PID 4364 set thread context of 3692 4364 spoolsv.exe 139 PID 5124 set thread context of 3500 5124 spoolsv.exe 141 PID 1240 set thread context of 232 1240 spoolsv.exe 142 PID 3852 set thread context of 1292 3852 spoolsv.exe 145 PID 5680 set thread context of 5132 5680 spoolsv.exe 146 PID 4764 set thread context of 4796 4764 spoolsv.exe 149 PID 5148 set thread context of 2420 5148 spoolsv.exe 150 PID 4572 set thread context of 6040 4572 spoolsv.exe 152 PID 5868 set thread context of 4596 5868 spoolsv.exe 154 PID 2700 set thread context of 4084 2700 spoolsv.exe 155 PID 4728 set thread context of 5932 4728 spoolsv.exe 157 PID 4548 set thread context of 2776 4548 spoolsv.exe 158 PID 4776 set thread context of 5944 4776 spoolsv.exe 160 PID 784 set thread context of 904 784 spoolsv.exe 161 PID 5960 set thread context of 6012 5960 spoolsv.exe 163 PID 764 set thread context of 6136 764 spoolsv.exe 165 PID 2868 set thread context of 5248 2868 spoolsv.exe 166 PID 1756 set thread context of 1604 1756 spoolsv.exe 177 PID 5512 set thread context of 5160 5512 explorer.exe 182 PID 6068 set thread context of 1432 6068 spoolsv.exe 184 PID 1376 set thread context of 5748 1376 explorer.exe 186 PID 1248 set thread context of 5648 1248 spoolsv.exe 187 PID 5540 set thread context of 4636 5540 explorer.exe 189 PID 5192 set thread context of 2484 5192 spoolsv.exe 190 PID 3748 set thread context of 1612 3748 explorer.exe 194 PID 5496 set thread context of 1552 5496 spoolsv.exe 195 PID 2132 set thread context of 2956 2132 spoolsv.exe 200 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5072 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 5072 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4128 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5072 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 5072 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4128 explorer.exe 4452 spoolsv.exe 4452 spoolsv.exe 3720 spoolsv.exe 3720 spoolsv.exe 1136 explorer.exe 1136 explorer.exe 4856 spoolsv.exe 4856 spoolsv.exe 3916 spoolsv.exe 3916 spoolsv.exe 5480 spoolsv.exe 5480 spoolsv.exe 468 spoolsv.exe 468 spoolsv.exe 5976 spoolsv.exe 5976 spoolsv.exe 952 spoolsv.exe 952 spoolsv.exe 5092 spoolsv.exe 5092 spoolsv.exe 3876 spoolsv.exe 3876 spoolsv.exe 4176 spoolsv.exe 4176 spoolsv.exe 1984 spoolsv.exe 1984 spoolsv.exe 2552 spoolsv.exe 2552 spoolsv.exe 4984 spoolsv.exe 4984 spoolsv.exe 3692 spoolsv.exe 3692 spoolsv.exe 3500 spoolsv.exe 3500 spoolsv.exe 232 spoolsv.exe 232 spoolsv.exe 1292 spoolsv.exe 1292 spoolsv.exe 5132 spoolsv.exe 5132 spoolsv.exe 4796 spoolsv.exe 4796 spoolsv.exe 2420 spoolsv.exe 2420 spoolsv.exe 6040 spoolsv.exe 6040 spoolsv.exe 4596 spoolsv.exe 4596 spoolsv.exe 4084 spoolsv.exe 4084 spoolsv.exe 5932 spoolsv.exe 5932 spoolsv.exe 2776 spoolsv.exe 2776 spoolsv.exe 5944 spoolsv.exe 5944 spoolsv.exe 904 spoolsv.exe 904 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5244 wrote to memory of 4812 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 79 PID 5244 wrote to memory of 4812 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 79 PID 5244 wrote to memory of 5072 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 81 PID 5244 wrote to memory of 5072 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 81 PID 5244 wrote to memory of 5072 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 81 PID 5244 wrote to memory of 5072 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 81 PID 5244 wrote to memory of 5072 5244 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 81 PID 5072 wrote to memory of 5092 5072 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 82 PID 5072 wrote to memory of 5092 5072 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 82 PID 5072 wrote to memory of 5092 5072 JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe 82 PID 5092 wrote to memory of 4128 5092 explorer.exe 83 PID 5092 wrote to memory of 4128 5092 explorer.exe 83 PID 5092 wrote to memory of 4128 5092 explorer.exe 83 PID 5092 wrote to memory of 4128 5092 explorer.exe 83 PID 5092 wrote to memory of 4128 5092 explorer.exe 83 PID 4128 wrote to memory of 6060 4128 explorer.exe 84 PID 4128 wrote to memory of 6060 4128 explorer.exe 84 PID 4128 wrote to memory of 6060 4128 explorer.exe 84 PID 4128 wrote to memory of 2984 4128 explorer.exe 89 PID 4128 wrote to memory of 2984 4128 explorer.exe 89 PID 4128 wrote to memory of 2984 4128 explorer.exe 89 PID 1576 wrote to memory of 5488 1576 cmd.exe 90 PID 1576 wrote to memory of 5488 1576 cmd.exe 90 PID 1576 wrote to memory of 5488 1576 cmd.exe 90 PID 4128 wrote to memory of 5584 4128 explorer.exe 91 PID 4128 wrote to memory of 5584 4128 explorer.exe 91 PID 4128 wrote to memory of 5584 4128 explorer.exe 91 PID 4128 wrote to memory of 2800 4128 explorer.exe 92 PID 4128 wrote to memory of 2800 4128 explorer.exe 92 PID 4128 wrote to memory of 2800 4128 explorer.exe 92 PID 4128 wrote to memory of 3148 4128 explorer.exe 93 PID 4128 wrote to memory of 3148 4128 explorer.exe 93 PID 4128 wrote to memory of 3148 4128 explorer.exe 93 PID 4128 wrote to memory of 2708 4128 explorer.exe 94 PID 4128 wrote to memory of 2708 4128 explorer.exe 94 PID 4128 wrote to memory of 2708 4128 explorer.exe 94 PID 4128 wrote to memory of 5528 4128 explorer.exe 95 PID 4128 wrote to memory of 5528 4128 explorer.exe 95 PID 4128 wrote to memory of 5528 4128 explorer.exe 95 PID 4128 wrote to memory of 1584 4128 explorer.exe 96 PID 4128 wrote to memory of 1584 4128 explorer.exe 96 PID 4128 wrote to memory of 1584 4128 explorer.exe 96 PID 4128 wrote to memory of 2712 4128 explorer.exe 97 PID 4128 wrote to memory of 2712 4128 explorer.exe 97 PID 4128 wrote to memory of 2712 4128 explorer.exe 97 PID 4128 wrote to memory of 3424 4128 explorer.exe 98 PID 4128 wrote to memory of 3424 4128 explorer.exe 98 PID 4128 wrote to memory of 3424 4128 explorer.exe 98 PID 4128 wrote to memory of 4296 4128 explorer.exe 99 PID 4128 wrote to memory of 4296 4128 explorer.exe 99 PID 4128 wrote to memory of 4296 4128 explorer.exe 99 PID 4128 wrote to memory of 2460 4128 explorer.exe 100 PID 4128 wrote to memory of 2460 4128 explorer.exe 100 PID 4128 wrote to memory of 2460 4128 explorer.exe 100 PID 4128 wrote to memory of 5904 4128 explorer.exe 101 PID 4128 wrote to memory of 5904 4128 explorer.exe 101 PID 4128 wrote to memory of 5904 4128 explorer.exe 101 PID 4128 wrote to memory of 4064 4128 explorer.exe 102 PID 4128 wrote to memory of 4064 4128 explorer.exe 102 PID 4128 wrote to memory of 4064 4128 explorer.exe 102 PID 4128 wrote to memory of 4364 4128 explorer.exe 103 PID 4128 wrote to memory of 4364 4128 explorer.exe 103 PID 4128 wrote to memory of 4364 4128 explorer.exe 103 PID 4128 wrote to memory of 5124 4128 explorer.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5244 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_074493a898c2a4d0d0b2c1e41864a942.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4452 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5512 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:5160
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4856
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:468
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:952
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2712 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5092
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4176
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4984 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1376 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:5748
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3692
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5124 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1240 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:232 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5540 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4636
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3852 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5132 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3748 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6040 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5104 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5656
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5868 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2700 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4084
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5932
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:244 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5228
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4776 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5944
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:6012 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3736 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5236
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:6136
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2868 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5248
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1604
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:5312 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4824
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1432
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4024
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4688
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5648
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2484
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1552
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2956 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2968
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4748
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5816
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:864
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1924
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6140
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:428 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5824
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2260 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1704
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1048
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1600 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2632
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3488
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5560
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2496
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4208
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5836
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4132
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5720
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5884
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3264
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:248
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4892
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1892
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4504
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3440
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5412
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1988
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4416
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5408
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2352
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2844
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2848
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4996
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5712
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4700
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1816
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5880
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4832
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1824
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5488 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:2976
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD51fcf577c5c0c70a50d968de770eda1c2
SHA177b5ec058b7efa06ea10b4e3e1e2b99fb0fc8bcd
SHA256801d596c7f9499e9b5d17b43f5cd29a660bb5bec2ca1b7960b6a43e697e880b0
SHA5129352f4e28382059062770815e65ece3efd359657012effb34ad7ca49c6aacd1bac2335bafa4b1c1b6cc47b3a5e0453205e1c5a938107ef6ba29b423360381220
-
Filesize
2.2MB
MD5afe3518bddd580d180d68b3f55aa70f7
SHA1b260c6002113e0ac78e065b1e09fae71f1f0ee2e
SHA256c571fb14452fc2f9b305cb0d37861739d471bd1e2e5da89be450aa8b51cb2f0e
SHA512c96f82ff706469b77801d540170818298c4fd00088827893ca352cb9cf461542c28654c4702b6d3d5faeb756f2f14c6051d2a088ed1c9ff40c8a78f747c348f6