Analysis
-
max time kernel
145s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 10:48
Behavioral task
behavioral1
Sample
a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a061bffd9194599841a7d7f276cd0e7a
-
SHA1
f9d38f5757c25d28a60468aaf6c0f2971936e199
-
SHA256
570bb48be34460142123861447e6fd0c8b4df7cfe958933097b51383faff9139
-
SHA512
d5189bc6b25274101d3d41892cceed6b4355f2fbbbdf16c4d065cd783225373d1d87558346f13762be939ec1dfe7c364ba82b21711e254fc2555b9c05a214920
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZq:0UzeyQMS4DqodCnoe+iitjWwwW
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exepid process 2904 explorer.exe 2544 explorer.exe 4088 spoolsv.exe 3908 spoolsv.exe 4940 spoolsv.exe 1540 spoolsv.exe 228 spoolsv.exe 3560 spoolsv.exe 4116 spoolsv.exe 3536 spoolsv.exe 4572 spoolsv.exe 3616 spoolsv.exe 1480 spoolsv.exe 4012 spoolsv.exe 792 spoolsv.exe 2280 spoolsv.exe 2484 spoolsv.exe 3160 spoolsv.exe 1484 spoolsv.exe 4488 spoolsv.exe 3128 spoolsv.exe 4980 spoolsv.exe 3008 spoolsv.exe 936 spoolsv.exe 384 spoolsv.exe 5108 spoolsv.exe 2676 spoolsv.exe 452 spoolsv.exe 3800 spoolsv.exe 4092 spoolsv.exe 4468 spoolsv.exe 4464 spoolsv.exe 2908 spoolsv.exe 2872 explorer.exe 3500 spoolsv.exe 2000 spoolsv.exe 3040 spoolsv.exe 4744 spoolsv.exe 4516 spoolsv.exe 2260 spoolsv.exe 3640 spoolsv.exe 1604 explorer.exe 1704 spoolsv.exe 4556 spoolsv.exe 4588 spoolsv.exe 4184 spoolsv.exe 1080 spoolsv.exe 2292 spoolsv.exe 4452 spoolsv.exe 2944 spoolsv.exe 4428 spoolsv.exe 2168 spoolsv.exe 3348 spoolsv.exe 816 spoolsv.exe 2892 spoolsv.exe 4112 spoolsv.exe 3060 spoolsv.exe 2196 spoolsv.exe 3184 spoolsv.exe 1488 explorer.exe 4608 spoolsv.exe 4628 spoolsv.exe 4400 spoolsv.exe 916 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 53 IoCs
Processes:
a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exedescription pid process target process PID 816 set thread context of 4908 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe PID 2904 set thread context of 2544 2904 explorer.exe explorer.exe PID 4088 set thread context of 2908 4088 spoolsv.exe spoolsv.exe PID 3908 set thread context of 3500 3908 spoolsv.exe spoolsv.exe PID 4940 set thread context of 2000 4940 spoolsv.exe spoolsv.exe PID 1540 set thread context of 4744 1540 spoolsv.exe spoolsv.exe PID 228 set thread context of 4516 228 spoolsv.exe spoolsv.exe PID 3560 set thread context of 2260 3560 spoolsv.exe spoolsv.exe PID 4116 set thread context of 3640 4116 spoolsv.exe spoolsv.exe PID 3536 set thread context of 4556 3536 spoolsv.exe spoolsv.exe PID 4572 set thread context of 4588 4572 spoolsv.exe spoolsv.exe PID 3616 set thread context of 4184 3616 spoolsv.exe spoolsv.exe PID 1480 set thread context of 1080 1480 spoolsv.exe spoolsv.exe PID 4012 set thread context of 2292 4012 spoolsv.exe spoolsv.exe PID 792 set thread context of 4452 792 spoolsv.exe spoolsv.exe PID 2280 set thread context of 2944 2280 spoolsv.exe spoolsv.exe PID 2484 set thread context of 4428 2484 spoolsv.exe spoolsv.exe PID 3160 set thread context of 2168 3160 spoolsv.exe spoolsv.exe PID 1484 set thread context of 3348 1484 spoolsv.exe spoolsv.exe PID 4488 set thread context of 816 4488 spoolsv.exe spoolsv.exe PID 3128 set thread context of 2892 3128 spoolsv.exe spoolsv.exe PID 4980 set thread context of 4112 4980 spoolsv.exe spoolsv.exe PID 3008 set thread context of 3060 3008 spoolsv.exe spoolsv.exe PID 936 set thread context of 3184 936 spoolsv.exe spoolsv.exe PID 384 set thread context of 4608 384 spoolsv.exe spoolsv.exe PID 5108 set thread context of 4400 5108 spoolsv.exe spoolsv.exe PID 2676 set thread context of 4988 2676 spoolsv.exe spoolsv.exe PID 452 set thread context of 2800 452 spoolsv.exe spoolsv.exe PID 3800 set thread context of 3892 3800 spoolsv.exe spoolsv.exe PID 4092 set thread context of 4348 4092 spoolsv.exe spoolsv.exe PID 4468 set thread context of 1276 4468 spoolsv.exe spoolsv.exe PID 4464 set thread context of 1700 4464 spoolsv.exe spoolsv.exe PID 2872 set thread context of 4736 2872 explorer.exe explorer.exe PID 3040 set thread context of 536 3040 spoolsv.exe spoolsv.exe PID 1704 set thread context of 3748 1704 spoolsv.exe spoolsv.exe PID 1604 set thread context of 768 1604 explorer.exe explorer.exe PID 2196 set thread context of 2916 2196 spoolsv.exe spoolsv.exe PID 1488 set thread context of 3752 1488 explorer.exe explorer.exe PID 4628 set thread context of 1516 4628 spoolsv.exe spoolsv.exe PID 916 set thread context of 4748 916 explorer.exe explorer.exe PID 1836 set thread context of 4396 1836 spoolsv.exe spoolsv.exe PID 2828 set thread context of 2652 2828 explorer.exe explorer.exe PID 3144 set thread context of 1640 3144 spoolsv.exe spoolsv.exe PID 2248 set thread context of 1848 2248 explorer.exe explorer.exe PID 2768 set thread context of 1716 2768 spoolsv.exe spoolsv.exe PID 3196 set thread context of 1964 3196 explorer.exe explorer.exe PID 4708 set thread context of 1412 4708 spoolsv.exe spoolsv.exe PID 1348 set thread context of 1888 1348 spoolsv.exe spoolsv.exe PID 3504 set thread context of 60 3504 spoolsv.exe spoolsv.exe PID 4976 set thread context of 4372 4976 explorer.exe explorer.exe PID 4352 set thread context of 4524 4352 spoolsv.exe spoolsv.exe PID 1400 set thread context of 2100 1400 spoolsv.exe spoolsv.exe PID 2904 set thread context of 2684 2904 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exea061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exeexplorer.exepid process 4908 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe 4908 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2544 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4908 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe 4908 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2908 spoolsv.exe 2908 spoolsv.exe 3500 spoolsv.exe 3500 spoolsv.exe 2000 spoolsv.exe 2000 spoolsv.exe 4744 spoolsv.exe 4744 spoolsv.exe 4516 spoolsv.exe 4516 spoolsv.exe 2260 spoolsv.exe 2260 spoolsv.exe 3640 spoolsv.exe 3640 spoolsv.exe 4556 spoolsv.exe 4556 spoolsv.exe 4588 spoolsv.exe 4588 spoolsv.exe 4184 spoolsv.exe 4184 spoolsv.exe 1080 spoolsv.exe 1080 spoolsv.exe 2292 spoolsv.exe 2292 spoolsv.exe 4452 spoolsv.exe 4452 spoolsv.exe 2944 spoolsv.exe 2944 spoolsv.exe 4428 spoolsv.exe 4428 spoolsv.exe 2168 spoolsv.exe 2168 spoolsv.exe 3348 spoolsv.exe 3348 spoolsv.exe 816 spoolsv.exe 816 spoolsv.exe 2892 spoolsv.exe 2892 spoolsv.exe 4112 spoolsv.exe 4112 spoolsv.exe 3060 spoolsv.exe 3060 spoolsv.exe 3184 spoolsv.exe 3184 spoolsv.exe 4608 spoolsv.exe 4608 spoolsv.exe 4400 spoolsv.exe 4400 spoolsv.exe 4988 spoolsv.exe 4988 spoolsv.exe 2800 spoolsv.exe 2800 spoolsv.exe 3892 spoolsv.exe 3892 spoolsv.exe 4348 spoolsv.exe 4348 spoolsv.exe 1276 spoolsv.exe 1276 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exea061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 816 wrote to memory of 892 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe splwow64.exe PID 816 wrote to memory of 892 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe splwow64.exe PID 816 wrote to memory of 4908 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe PID 816 wrote to memory of 4908 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe PID 816 wrote to memory of 4908 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe PID 816 wrote to memory of 4908 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe PID 816 wrote to memory of 4908 816 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe PID 4908 wrote to memory of 2904 4908 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe explorer.exe PID 4908 wrote to memory of 2904 4908 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe explorer.exe PID 4908 wrote to memory of 2904 4908 a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe explorer.exe PID 2904 wrote to memory of 2544 2904 explorer.exe explorer.exe PID 2904 wrote to memory of 2544 2904 explorer.exe explorer.exe PID 2904 wrote to memory of 2544 2904 explorer.exe explorer.exe PID 2904 wrote to memory of 2544 2904 explorer.exe explorer.exe PID 2904 wrote to memory of 2544 2904 explorer.exe explorer.exe PID 2544 wrote to memory of 4088 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4088 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4088 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3908 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3908 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3908 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4940 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4940 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4940 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 1540 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 1540 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 1540 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 228 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 228 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 228 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3560 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3560 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3560 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4116 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4116 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4116 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3536 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3536 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3536 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4572 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4572 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4572 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3616 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3616 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3616 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 1480 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 1480 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 1480 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4012 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4012 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 4012 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 792 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 792 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 792 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 2280 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 2280 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 2280 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 2484 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 2484 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 2484 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3160 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3160 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 3160 2544 explorer.exe spoolsv.exe PID 2544 wrote to memory of 1484 2544 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a061bffd9194599841a7d7f276cd0e7a_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2872 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4736
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2000 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4516 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3640 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1604 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4184 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4012 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2292 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4452 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2280 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2944 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:816 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3128 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4112 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3184 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1488 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4400 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:916 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4748
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4988 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:452 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2800 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:2828 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3892 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4348 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2248 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1276 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3196 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1964
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1700
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4976 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:536
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2904 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2684
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3748
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3216
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2916
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1516
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1836 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4396
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4280 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1716
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1348 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1888
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:60
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2100
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3840
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1456
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4900
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4480
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2924
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3548 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3940 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4380
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3772 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3208
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD596e234eff966baee5123f4b936166f26
SHA1355c6fbbda7a220871d70c53d3f001b63897eb3f
SHA25652c5f1d43514fe615aac58d508b0f2011473aee78d6e725fe7a6128c072f4c9c
SHA5127f67f101405deb31a3e9d89773a4424a537aa5c9440d32f9c590927e868dc49e6fe3d257f00e7043fe3dbe7d8661ce102fda4ae244d825c94cfc2518491327a5
-
Filesize
2.2MB
MD5058cca71251576151294a99342d709ea
SHA1ecc719d573d23f8086b6d5e5afa3e86ba3f7e997
SHA256161de7a813f58c79a1afe8b5d3703e58ad5b1b0cb94c00e2f41f6153df84c8b9
SHA51265962f5f38e93696f3be558dd1575e82a763ad759ec34b97a791d66d54fba2e9bcd5219f71d886e913bb6f532badc6650f4cf7f6341a0d1a4c686c1d21cc1474