Analysis
-
max time kernel
124s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2025, 17:59
Behavioral task
behavioral1
Sample
JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
-
Size
2.2MB
-
MD5
07c4e640cab5f98750ca5adacef9c814
-
SHA1
4acc32d617fb9e87480005a3faea95e36fc50a4c
-
SHA256
e473363480c89b271e7165a41c606644639226749a51fc2b3ea6a302a7579c96
-
SHA512
8c1b4105e83e5cd9ac5456ba06eb571c2f53c58167920cc0da3c257c095e35096409669b2e8d8695dfc2fa2cef63d1c9969e59986111116205dced77910ed2c9
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ7:0UzeyQMS4DqodCnoe+iitjWwwv
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral1/memory/1380-44-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1380-45-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1380-94-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2940-105-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2940-614-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1800-1843-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3604-1854-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1116-1866-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4332-1948-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4332-1952-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1800-2020-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2328-2038-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2740-2132-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2740-2137-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2328-2195-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1720-2215-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3944-2223-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4444-2296-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1720-2328-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3292-2355-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2216-2366-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1072-2462-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3764-2470-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3764-2474-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4408-2536-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4584-2615-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4584-2749-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4768-2766-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1732-2775-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3256-2784-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3256-2788-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4768-2875-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1324-2893-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2748-2901-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1324-2972-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4832-3070-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4284-3080-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4832-3222-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2696-3243-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2728-3371-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3724-3489-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4228-3556-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1952-3633-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4228-3665-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/548-3678-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4416-3689-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/548-3762-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3924-3847-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1504-3856-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3924-3987-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2928-4156-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5404-4193-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2416-4218-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5672-4237-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5772-4248-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5672-4351-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3016-4442-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5548-4451-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3016-4544-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2844-4665-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2320-4684-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4624-4714-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5272-4908-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5332-4918-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 232 explorer.exe 2940 explorer.exe 1916 spoolsv.exe 644 spoolsv.exe 2708 explorer.exe 3336 spoolsv.exe 4712 spoolsv.exe 4360 spoolsv.exe 4884 spoolsv.exe 5024 spoolsv.exe 3680 spoolsv.exe 2656 spoolsv.exe 2268 spoolsv.exe 5000 spoolsv.exe 3548 spoolsv.exe 2636 spoolsv.exe 4500 spoolsv.exe 3992 spoolsv.exe 2192 spoolsv.exe 3640 spoolsv.exe 3592 spoolsv.exe 1184 spoolsv.exe 3472 spoolsv.exe 4020 spoolsv.exe 2924 spoolsv.exe 2164 spoolsv.exe 3748 spoolsv.exe 4256 spoolsv.exe 4388 spoolsv.exe 1800 spoolsv.exe 2376 explorer.exe 3604 spoolsv.exe 1116 explorer.exe 2944 spoolsv.exe 4332 spoolsv.exe 2328 spoolsv.exe 4188 explorer.exe 4220 spoolsv.exe 2740 spoolsv.exe 1720 spoolsv.exe 2428 explorer.exe 3944 spoolsv.exe 3100 spoolsv.exe 4444 spoolsv.exe 4408 spoolsv.exe 4092 explorer.exe 3292 spoolsv.exe 2216 spoolsv.exe 4788 spoolsv.exe 1072 spoolsv.exe 3764 spoolsv.exe 4484 spoolsv.exe 4584 spoolsv.exe 2168 explorer.exe 456 spoolsv.exe 4768 spoolsv.exe 4868 explorer.exe 1732 spoolsv.exe 3256 spoolsv.exe 2148 spoolsv.exe 1324 spoolsv.exe 4920 explorer.exe 2748 spoolsv.exe 1816 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 35 IoCs
description pid Process procid_target PID 5112 set thread context of 1380 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 102 PID 232 set thread context of 2940 232 explorer.exe 112 PID 1916 set thread context of 1800 1916 spoolsv.exe 145 PID 644 set thread context of 3604 644 spoolsv.exe 147 PID 2708 set thread context of 1116 2708 explorer.exe 148 PID 3336 set thread context of 4332 3336 spoolsv.exe 150 PID 4712 set thread context of 2328 4712 spoolsv.exe 151 PID 4360 set thread context of 2740 4360 spoolsv.exe 154 PID 4884 set thread context of 1720 4884 spoolsv.exe 155 PID 5024 set thread context of 3944 5024 spoolsv.exe 157 PID 3680 set thread context of 4444 3680 spoolsv.exe 159 PID 2656 set thread context of 4408 2656 spoolsv.exe 160 PID 2268 set thread context of 3292 2268 spoolsv.exe 162 PID 5000 set thread context of 2216 5000 spoolsv.exe 163 PID 3548 set thread context of 1072 3548 spoolsv.exe 165 PID 2636 set thread context of 3764 2636 spoolsv.exe 166 PID 4500 set thread context of 4584 4500 spoolsv.exe 168 PID 3992 set thread context of 4768 3992 spoolsv.exe 171 PID 2192 set thread context of 1732 2192 spoolsv.exe 173 PID 3640 set thread context of 3256 3640 spoolsv.exe 174 PID 3592 set thread context of 1324 3592 spoolsv.exe 176 PID 1184 set thread context of 2748 1184 spoolsv.exe 178 PID 3472 set thread context of 4832 3472 spoolsv.exe 180 PID 4020 set thread context of 4284 4020 spoolsv.exe 182 PID 2924 set thread context of 4904 2924 spoolsv.exe 183 PID 2164 set thread context of 2728 2164 spoolsv.exe 185 PID 3748 set thread context of 2696 3748 spoolsv.exe 187 PID 4256 set thread context of 3724 4256 spoolsv.exe 189 PID 4388 set thread context of 4228 4388 spoolsv.exe 193 PID 2376 set thread context of 1952 2376 explorer.exe 196 PID 2944 set thread context of 548 2944 spoolsv.exe 197 PID 4188 set thread context of 4416 4188 explorer.exe 199 PID 4220 set thread context of 3924 4220 spoolsv.exe 202 PID 2428 set thread context of 1504 2428 explorer.exe 204 PID 3100 set thread context of 2416 3100 spoolsv.exe 207 -
Drops file in Windows directory 61 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1380 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 1380 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1380 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 1380 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 2940 explorer.exe 1800 spoolsv.exe 1800 spoolsv.exe 3604 spoolsv.exe 3604 spoolsv.exe 1116 explorer.exe 1116 explorer.exe 4332 spoolsv.exe 4332 spoolsv.exe 2328 spoolsv.exe 2328 spoolsv.exe 2740 spoolsv.exe 2740 spoolsv.exe 1720 spoolsv.exe 1720 spoolsv.exe 3944 spoolsv.exe 3944 spoolsv.exe 4444 spoolsv.exe 4444 spoolsv.exe 4408 spoolsv.exe 4408 spoolsv.exe 3292 spoolsv.exe 3292 spoolsv.exe 2216 spoolsv.exe 2216 spoolsv.exe 1072 spoolsv.exe 1072 spoolsv.exe 3764 spoolsv.exe 3764 spoolsv.exe 4584 spoolsv.exe 4584 spoolsv.exe 4768 spoolsv.exe 4768 spoolsv.exe 1732 spoolsv.exe 1732 spoolsv.exe 3256 spoolsv.exe 3256 spoolsv.exe 1324 spoolsv.exe 1324 spoolsv.exe 2748 spoolsv.exe 2748 spoolsv.exe 4832 spoolsv.exe 4832 spoolsv.exe 4284 spoolsv.exe 4284 spoolsv.exe 4904 spoolsv.exe 4904 spoolsv.exe 2728 spoolsv.exe 2728 spoolsv.exe 2696 spoolsv.exe 2696 spoolsv.exe 3724 spoolsv.exe 3724 spoolsv.exe 4228 spoolsv.exe 4228 spoolsv.exe 1952 explorer.exe 1952 explorer.exe 548 spoolsv.exe 548 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5112 wrote to memory of 3896 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 87 PID 5112 wrote to memory of 3896 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 87 PID 5112 wrote to memory of 1380 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 102 PID 5112 wrote to memory of 1380 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 102 PID 5112 wrote to memory of 1380 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 102 PID 5112 wrote to memory of 1380 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 102 PID 5112 wrote to memory of 1380 5112 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 102 PID 1380 wrote to memory of 232 1380 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 103 PID 1380 wrote to memory of 232 1380 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 103 PID 1380 wrote to memory of 232 1380 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 103 PID 232 wrote to memory of 2940 232 explorer.exe 112 PID 232 wrote to memory of 2940 232 explorer.exe 112 PID 232 wrote to memory of 2940 232 explorer.exe 112 PID 232 wrote to memory of 2940 232 explorer.exe 112 PID 232 wrote to memory of 2940 232 explorer.exe 112 PID 2940 wrote to memory of 1916 2940 explorer.exe 113 PID 2940 wrote to memory of 1916 2940 explorer.exe 113 PID 2940 wrote to memory of 1916 2940 explorer.exe 113 PID 2940 wrote to memory of 644 2940 explorer.exe 118 PID 2940 wrote to memory of 644 2940 explorer.exe 118 PID 2940 wrote to memory of 644 2940 explorer.exe 118 PID 4912 wrote to memory of 2708 4912 cmd.exe 119 PID 4912 wrote to memory of 2708 4912 cmd.exe 119 PID 4912 wrote to memory of 2708 4912 cmd.exe 119 PID 2940 wrote to memory of 3336 2940 explorer.exe 120 PID 2940 wrote to memory of 3336 2940 explorer.exe 120 PID 2940 wrote to memory of 3336 2940 explorer.exe 120 PID 2940 wrote to memory of 4712 2940 explorer.exe 121 PID 2940 wrote to memory of 4712 2940 explorer.exe 121 PID 2940 wrote to memory of 4712 2940 explorer.exe 121 PID 2940 wrote to memory of 4360 2940 explorer.exe 122 PID 2940 wrote to memory of 4360 2940 explorer.exe 122 PID 2940 wrote to memory of 4360 2940 explorer.exe 122 PID 2940 wrote to memory of 4884 2940 explorer.exe 123 PID 2940 wrote to memory of 4884 2940 explorer.exe 123 PID 2940 wrote to memory of 4884 2940 explorer.exe 123 PID 2940 wrote to memory of 5024 2940 explorer.exe 124 PID 2940 wrote to memory of 5024 2940 explorer.exe 124 PID 2940 wrote to memory of 5024 2940 explorer.exe 124 PID 2940 wrote to memory of 3680 2940 explorer.exe 125 PID 2940 wrote to memory of 3680 2940 explorer.exe 125 PID 2940 wrote to memory of 3680 2940 explorer.exe 125 PID 2940 wrote to memory of 2656 2940 explorer.exe 126 PID 2940 wrote to memory of 2656 2940 explorer.exe 126 PID 2940 wrote to memory of 2656 2940 explorer.exe 126 PID 2940 wrote to memory of 2268 2940 explorer.exe 127 PID 2940 wrote to memory of 2268 2940 explorer.exe 127 PID 2940 wrote to memory of 2268 2940 explorer.exe 127 PID 2940 wrote to memory of 5000 2940 explorer.exe 128 PID 2940 wrote to memory of 5000 2940 explorer.exe 128 PID 2940 wrote to memory of 5000 2940 explorer.exe 128 PID 2940 wrote to memory of 3548 2940 explorer.exe 130 PID 2940 wrote to memory of 3548 2940 explorer.exe 130 PID 2940 wrote to memory of 3548 2940 explorer.exe 130 PID 2940 wrote to memory of 2636 2940 explorer.exe 131 PID 2940 wrote to memory of 2636 2940 explorer.exe 131 PID 2940 wrote to memory of 2636 2940 explorer.exe 131 PID 2940 wrote to memory of 4500 2940 explorer.exe 132 PID 2940 wrote to memory of 4500 2940 explorer.exe 132 PID 2940 wrote to memory of 4500 2940 explorer.exe 132 PID 2940 wrote to memory of 3992 2940 explorer.exe 133 PID 2940 wrote to memory of 3992 2940 explorer.exe 133 PID 2940 wrote to memory of 3992 2940 explorer.exe 133 PID 2940 wrote to memory of 2192 2940 explorer.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3896
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1800 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2376 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3604
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3336 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4712 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2328 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4188 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4416
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4360 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1720 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2428 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1504
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3944
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4092 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2928
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2268 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3292
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2216
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3764
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4584 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2168 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5772
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4768 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4868 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5548
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3256
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1324 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4920 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3452
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4832 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5056 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4624
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2728 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:836 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5332
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3748 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3724 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2832 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5488
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4228 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:2780 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3656
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:548 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3252 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3688
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3924
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2024 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4608
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2416 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4788 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5672
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5720
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3016
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5512
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2844
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3644
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2320
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5496
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5272
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5376
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3732
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3620 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4376
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6064
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4320
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2720
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3048
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5832
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4508 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5240
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5260
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3792
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:4936
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3500
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5436
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5852
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5148
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5812
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5180
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5508
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3028
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2712
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5140
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5620
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2708 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:4620
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD542d0996425ac5e2e2ca40de313003228
SHA1452c35240f7fb53da73dd90fc1e5d475b09ee61a
SHA2566e00cc9aa9c952b2b6c88fc9141b37ee413d1a4bde6081935b73e8bd385461b1
SHA5127fc9af360daee911e96718a0ba8c3ba95d33fbd902ba72ce0fb096079390e525c439167f736a857555ebaae3b8b08d6bfb9d14e03298cc7d7da3a31c291d906c
-
Filesize
2.2MB
MD594a31dde83797d09313b21ff9b373cf6
SHA12b3e8a869691908f474c3401a1419af038967b90
SHA2566f2e6a170989f14130ca9498cc34ec0d5e806d0fe0e4c8d6c300cc8ac19d6067
SHA512e41239b8b97b180553395fe090a4214c9d158051e29054f7cd1b847e9037ae439969972f615be340190a165fd80045741102fec8f3891850ce00928dbbaf03f0