description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe

pid	Process
1860	explorer.exe
4140	explorer.exe
3492	spoolsv.exe
1056	spoolsv.exe
4276	spoolsv.exe
1612	spoolsv.exe
808	spoolsv.exe
1732	spoolsv.exe
3452	spoolsv.exe
672	spoolsv.exe
3928	spoolsv.exe
956	spoolsv.exe
2796	spoolsv.exe
4888	spoolsv.exe
4568	spoolsv.exe
3992	spoolsv.exe
1904	spoolsv.exe
3652	spoolsv.exe
4072	spoolsv.exe
4472	spoolsv.exe
4456	spoolsv.exe
1596	spoolsv.exe
1760	spoolsv.exe
4536	spoolsv.exe
2980	spoolsv.exe
440	spoolsv.exe
3900	spoolsv.exe
1500	spoolsv.exe
4448	spoolsv.exe
4792	spoolsv.exe
3340	spoolsv.exe
1240	spoolsv.exe
1488	spoolsv.exe
1632	explorer.exe
64	spoolsv.exe
1860	spoolsv.exe
2404	spoolsv.exe
2772	spoolsv.exe
3384	spoolsv.exe
5016	explorer.exe
3740	spoolsv.exe
1436	spoolsv.exe
1208	spoolsv.exe
4520	spoolsv.exe
4012	spoolsv.exe
4264	spoolsv.exe
2328	spoolsv.exe
1080	explorer.exe
4516	spoolsv.exe
3408	spoolsv.exe
560	spoolsv.exe
2196	spoolsv.exe
3892	spoolsv.exe
3076	spoolsv.exe
2784	spoolsv.exe
2332	explorer.exe
3252	spoolsv.exe
2144	spoolsv.exe
3032	spoolsv.exe
4056	spoolsv.exe
628	spoolsv.exe
2080	spoolsv.exe
4376	spoolsv.exe
1964	spoolsv.exe

description	pid	Process	procid_target
PID 3096 set thread context of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 1860 set thread context of 4140	1860	explorer.exe	99
PID 3492 set thread context of 1488	3492	spoolsv.exe	136
PID 1056 set thread context of 64	1056	spoolsv.exe	138
PID 4276 set thread context of 1860	4276	spoolsv.exe	139
PID 1612 set thread context of 2772	1612	spoolsv.exe	141
PID 808 set thread context of 3384	808	spoolsv.exe	142
PID 1732 set thread context of 3740	1732	spoolsv.exe	144
PID 3452 set thread context of 1436	3452	spoolsv.exe	145
PID 672 set thread context of 1208	672	spoolsv.exe	146
PID 3928 set thread context of 4520	3928	spoolsv.exe	147
PID 956 set thread context of 4264	956	spoolsv.exe	149
PID 2796 set thread context of 2328	2796	spoolsv.exe	150
PID 4888 set thread context of 4516	4888	spoolsv.exe	152
PID 4568 set thread context of 3408	4568	spoolsv.exe	153
PID 3992 set thread context of 560	3992	spoolsv.exe	154
PID 1904 set thread context of 2196	1904	spoolsv.exe	155
PID 3652 set thread context of 3076	3652	spoolsv.exe	157
PID 4072 set thread context of 2784	4072	spoolsv.exe	158
PID 4472 set thread context of 3252	4472	spoolsv.exe	161
PID 4456 set thread context of 2144	4456	spoolsv.exe	162
PID 1596 set thread context of 4056	1596	spoolsv.exe	164
PID 1760 set thread context of 628	1760	spoolsv.exe	165
PID 4536 set thread context of 2080	4536	spoolsv.exe	166
PID 2980 set thread context of 4376	2980	spoolsv.exe	167
PID 440 set thread context of 1964	440	spoolsv.exe	168
PID 3900 set thread context of 2524	3900	spoolsv.exe	171
PID 1500 set thread context of 5108	1500	spoolsv.exe	172
PID 4448 set thread context of 968	4448	spoolsv.exe	173
PID 4792 set thread context of 5104	4792	spoolsv.exe	174
PID 3340 set thread context of 4356	3340	spoolsv.exe	176
PID 1240 set thread context of 4020	1240	spoolsv.exe	183
PID 1632 set thread context of 4800	1632	explorer.exe	185
PID 2404 set thread context of 1448	2404	spoolsv.exe	194
PID 5016 set thread context of 472	5016	explorer.exe	196
PID 4012 set thread context of 4820	4012	spoolsv.exe	203
PID 1080 set thread context of 1712	1080	explorer.exe	206
PID 3892 set thread context of 1868	3892	spoolsv.exe	209
PID 2332 set thread context of 4080	2332	explorer.exe	212
PID 3032 set thread context of 1676	3032	spoolsv.exe	215
PID 2072 set thread context of 5280	2072	spoolsv.exe	219
PID 3876 set thread context of 5288	3876	explorer.exe	220
PID 2976 set thread context of 5436	2976	spoolsv.exe	222
PID 3096 set thread context of 5480	3096	explorer.exe	223
PID 4084 set thread context of 5568	4084	spoolsv.exe	224
PID 1956 set thread context of 5628	1956	spoolsv.exe	225
PID 2620 set thread context of 5696	2620	spoolsv.exe	226
PID 1400 set thread context of 5776	1400	spoolsv.exe	227
PID 5104 set thread context of 5844	5104	explorer.exe	228
PID 2488 set thread context of 5912	2488	spoolsv.exe	229
PID 4400 set thread context of 5148	4400	spoolsv.exe	231
PID 4260 set thread context of 5520	4260	spoolsv.exe	232
PID 2580 set thread context of 3792	2580	spoolsv.exe	234

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

pid	Process
2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe

description	pid	Process	procid_target
PID 3096 wrote to memory of 2376	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	83
PID 3096 wrote to memory of 2376	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	83
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 2944 wrote to memory of 1860	2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	96
PID 2944 wrote to memory of 1860	2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	96
PID 2944 wrote to memory of 1860	2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	96
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 4140 wrote to memory of 3492	4140	explorer.exe	100
PID 4140 wrote to memory of 3492	4140	explorer.exe	100
PID 4140 wrote to memory of 3492	4140	explorer.exe	100
PID 4140 wrote to memory of 1056	4140	explorer.exe	101
PID 4140 wrote to memory of 1056	4140	explorer.exe	101
PID 4140 wrote to memory of 1056	4140	explorer.exe	101
PID 4140 wrote to memory of 4276	4140	explorer.exe	102
PID 4140 wrote to memory of 4276	4140	explorer.exe	102
PID 4140 wrote to memory of 4276	4140	explorer.exe	102
PID 4140 wrote to memory of 1612	4140	explorer.exe	103
PID 4140 wrote to memory of 1612	4140	explorer.exe	103
PID 4140 wrote to memory of 1612	4140	explorer.exe	103
PID 4140 wrote to memory of 808	4140	explorer.exe	104
PID 4140 wrote to memory of 808	4140	explorer.exe	104
PID 4140 wrote to memory of 808	4140	explorer.exe	104
PID 4140 wrote to memory of 1732	4140	explorer.exe	105
PID 4140 wrote to memory of 1732	4140	explorer.exe	105
PID 4140 wrote to memory of 1732	4140	explorer.exe	105
PID 4140 wrote to memory of 3452	4140	explorer.exe	106
PID 4140 wrote to memory of 3452	4140	explorer.exe	106
PID 4140 wrote to memory of 3452	4140	explorer.exe	106
PID 4140 wrote to memory of 672	4140	explorer.exe	107
PID 4140 wrote to memory of 672	4140	explorer.exe	107
PID 4140 wrote to memory of 672	4140	explorer.exe	107
PID 4140 wrote to memory of 3928	4140	explorer.exe	108
PID 4140 wrote to memory of 3928	4140	explorer.exe	108
PID 4140 wrote to memory of 3928	4140	explorer.exe	108
PID 4140 wrote to memory of 956	4140	explorer.exe	109
PID 4140 wrote to memory of 956	4140	explorer.exe	109
PID 4140 wrote to memory of 956	4140	explorer.exe	109
PID 4140 wrote to memory of 2796	4140	explorer.exe	111
PID 4140 wrote to memory of 2796	4140	explorer.exe	111
PID 4140 wrote to memory of 2796	4140	explorer.exe	111
PID 4140 wrote to memory of 4888	4140	explorer.exe	112
PID 4140 wrote to memory of 4888	4140	explorer.exe	112
PID 4140 wrote to memory of 4888	4140	explorer.exe	112
PID 4140 wrote to memory of 4568	4140	explorer.exe	115
PID 4140 wrote to memory of 4568	4140	explorer.exe	115
PID 4140 wrote to memory of 4568	4140	explorer.exe	115
PID 4140 wrote to memory of 3992	4140	explorer.exe	116
PID 4140 wrote to memory of 3992	4140	explorer.exe	116
PID 4140 wrote to memory of 3992	4140	explorer.exe	116
PID 4140 wrote to memory of 1904	4140	explorer.exe	119
PID 4140 wrote to memory of 1904	4140	explorer.exe	119
PID 4140 wrote to memory of 1904	4140	explorer.exe	119
PID 4140 wrote to memory of 3652	4140	explorer.exe	121
PID 4140 wrote to memory of 3652	4140	explorer.exe	121
PID 4140 wrote to memory of 3652	4140	explorer.exe	121
PID 4140 wrote to memory of 4072	4140	explorer.exe	122

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.