Analysis
-
max time kernel
87s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2025, 15:33
Behavioral task
behavioral1
Sample
JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
-
Size
2.2MB
-
MD5
080d2a293751e6d785a73a11664845d0
-
SHA1
5f84d3fa42600199117b4713fea7a6f200e6da31
-
SHA256
eb83ad2266873e7f557a2b3d521a1593ec21a59bb05e8f3bcc240901a6a5f8db
-
SHA512
d7095e4e46b1c12b16fb1a496f36f82ac9764456f858d06e4dec2a7a486445a102354bb2fc98a05f94721cd520cfb9766846e66ab276abe76c38687f5c430ea0
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZB:0UzeyQMS4DqodCnoe+iitjWwwl
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral1/memory/2928-39-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2928-40-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2928-89-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5624-95-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5624-455-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5776-1485-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4736-1555-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5104-1588-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5412-1594-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5776-1646-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4924-1742-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4924-1738-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5156-1810-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/636-1831-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2472-1900-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/636-1971-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3424-2054-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3160-2066-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1720-2163-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5068-2179-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5068-2189-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3424-2217-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3236-2406-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/932-2545-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/932-2619-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1688-2645-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1688-2758-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2496-2911-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/896-3144-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5888-3155-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5888-3295-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4540-3312-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4052-3324-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4540-3371-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/464-3362-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4640-3725-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3356-3908-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4720-3981-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4872-3992-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/544-4069-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5624-4068-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5476-4083-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/116-4092-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3612-4155-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2452-4330-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2232-4345-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4360-4438-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5884-4503-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5008-4520-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5564-4545-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1824-4547-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2624-4561-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3624-4579-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/6124-4571-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1084-4598-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5460-4600-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1856-4617-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4548-4644-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4268-4646-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2140-4749-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3100-4758-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2436-4765-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1756-4777-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1756-4773-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe -
Executes dropped EXE 23 IoCs
pid Process 2164 explorer.exe 5624 explorer.exe 4716 spoolsv.exe 3576 spoolsv.exe 1876 explorer.exe 1652 spoolsv.exe 2324 spoolsv.exe 5688 spoolsv.exe 2208 spoolsv.exe 4144 spoolsv.exe 6044 spoolsv.exe 804 spoolsv.exe 5792 spoolsv.exe 3584 spoolsv.exe 5084 spoolsv.exe 4940 spoolsv.exe 2136 spoolsv.exe 5756 spoolsv.exe 5940 spoolsv.exe 4752 spoolsv.exe 3992 spoolsv.exe 5464 spoolsv.exe 2728 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 428 set thread context of 2928 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 99 PID 2164 set thread context of 5624 2164 explorer.exe 109 -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2928 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 2928 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2928 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 2928 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe 5624 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 428 wrote to memory of 4880 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 85 PID 428 wrote to memory of 4880 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 85 PID 428 wrote to memory of 2928 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 99 PID 428 wrote to memory of 2928 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 99 PID 428 wrote to memory of 2928 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 99 PID 428 wrote to memory of 2928 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 99 PID 428 wrote to memory of 2928 428 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 99 PID 2928 wrote to memory of 2164 2928 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 100 PID 2928 wrote to memory of 2164 2928 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 100 PID 2928 wrote to memory of 2164 2928 JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe 100 PID 2164 wrote to memory of 5624 2164 explorer.exe 109 PID 2164 wrote to memory of 5624 2164 explorer.exe 109 PID 2164 wrote to memory of 5624 2164 explorer.exe 109 PID 2164 wrote to memory of 5624 2164 explorer.exe 109 PID 2164 wrote to memory of 5624 2164 explorer.exe 109 PID 5624 wrote to memory of 4716 5624 explorer.exe 110 PID 5624 wrote to memory of 4716 5624 explorer.exe 110 PID 5624 wrote to memory of 4716 5624 explorer.exe 110 PID 5624 wrote to memory of 3576 5624 explorer.exe 115 PID 5624 wrote to memory of 3576 5624 explorer.exe 115 PID 5624 wrote to memory of 3576 5624 explorer.exe 115 PID 3220 wrote to memory of 1876 3220 cmd.exe 116 PID 3220 wrote to memory of 1876 3220 cmd.exe 116 PID 3220 wrote to memory of 1876 3220 cmd.exe 116 PID 5624 wrote to memory of 1652 5624 explorer.exe 117 PID 5624 wrote to memory of 1652 5624 explorer.exe 117 PID 5624 wrote to memory of 1652 5624 explorer.exe 117 PID 5624 wrote to memory of 2324 5624 explorer.exe 118 PID 5624 wrote to memory of 2324 5624 explorer.exe 118 PID 5624 wrote to memory of 2324 5624 explorer.exe 118 PID 5624 wrote to memory of 5688 5624 explorer.exe 119 PID 5624 wrote to memory of 5688 5624 explorer.exe 119 PID 5624 wrote to memory of 5688 5624 explorer.exe 119 PID 5624 wrote to memory of 2208 5624 explorer.exe 120 PID 5624 wrote to memory of 2208 5624 explorer.exe 120 PID 5624 wrote to memory of 2208 5624 explorer.exe 120 PID 5624 wrote to memory of 4144 5624 explorer.exe 121 PID 5624 wrote to memory of 4144 5624 explorer.exe 121 PID 5624 wrote to memory of 4144 5624 explorer.exe 121 PID 5624 wrote to memory of 6044 5624 explorer.exe 122 PID 5624 wrote to memory of 6044 5624 explorer.exe 122 PID 5624 wrote to memory of 6044 5624 explorer.exe 122 PID 5624 wrote to memory of 804 5624 explorer.exe 123 PID 5624 wrote to memory of 804 5624 explorer.exe 123 PID 5624 wrote to memory of 804 5624 explorer.exe 123 PID 5624 wrote to memory of 5792 5624 explorer.exe 124 PID 5624 wrote to memory of 5792 5624 explorer.exe 124 PID 5624 wrote to memory of 5792 5624 explorer.exe 124 PID 5624 wrote to memory of 3584 5624 explorer.exe 126 PID 5624 wrote to memory of 3584 5624 explorer.exe 126 PID 5624 wrote to memory of 3584 5624 explorer.exe 126 PID 5624 wrote to memory of 5084 5624 explorer.exe 127 PID 5624 wrote to memory of 5084 5624 explorer.exe 127 PID 5624 wrote to memory of 5084 5624 explorer.exe 127 PID 5624 wrote to memory of 4940 5624 explorer.exe 128 PID 5624 wrote to memory of 4940 5624 explorer.exe 128 PID 5624 wrote to memory of 4940 5624 explorer.exe 128 PID 5624 wrote to memory of 2136 5624 explorer.exe 129 PID 5624 wrote to memory of 2136 5624 explorer.exe 129 PID 5624 wrote to memory of 2136 5624 explorer.exe 129 PID 5624 wrote to memory of 5756 5624 explorer.exe 130 PID 5624 wrote to memory of 5756 5624 explorer.exe 130 PID 5624 wrote to memory of 5756 5624 explorer.exe 130 PID 5624 wrote to memory of 5940 5624 explorer.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5776
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5952
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3356
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5412
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5156
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:936
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4872
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4924
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:636
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2148
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5476
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2472
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3424
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4512
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2232
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:804 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3160
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5068
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3236
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4996
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1020
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:932
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2748
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5884
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1688
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5556
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5564
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2496
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5524
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:6124
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:896
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4536
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5460
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5888
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3516
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1856
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4540
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2996
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4548
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5592
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4640
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3596
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2436
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1728
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3612
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1432
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2396
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5240
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2288
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1572
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2452
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1196
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2988
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4360
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1716
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2144
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5732
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2612
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5232
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5064
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:884
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4600
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2696
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5268
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2224
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1824
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5320
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2624
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5060
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3624
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5484
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1084
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4296
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:960
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1612
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3892
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2768
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4268
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5548
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2244
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4396
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1080
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2140
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4564
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2932
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1732
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1396
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5644
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5652
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3412
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1348
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2300
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4416
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:660
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1876 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:4764
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5fa8ebae8ceb1a2ab30f1b826732eb66b
SHA170414648df62af74f7fc55bb766c0f8d671bca92
SHA2569323dd5e71850e80081990ca56768e510243f604427b786b0d4c6b028dabab06
SHA512edf44a902872f3e8e327ed44707b6f8046a41f29e3583e19acbdb2f2304845fba057690738f13fc585ed0d6bba070a244681f3fa96075e9163a9ba4fdb0151e4
-
Filesize
2.2MB
MD501dc5f7f450b51623bd3d1b69ed534fb
SHA1ed5cbb838c4a27a97ec8c3b3a245a3a1f0b63ff8
SHA256cddbf44049c95c3ee56494569285565d4edf2684f8e15e0b5f36cc57b6c30742
SHA512af566cfe74b54db36756a5cf6040c8621e6d5e7e4e0a626ebabd79d02d00ebff2998578ca61f1e6f0321164efd521d4f0b1971aab9c6471d73b724ab2f617fec