Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 11:46
Behavioral task
behavioral1
Sample
a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a08ecfbd9a3daff85553a4c0ce46ecea
-
SHA1
c501edab9476914079f997282e1f41375c69c704
-
SHA256
567274f59b43272e5d5ced796d5716199079394a402a4274f27c674a558f202e
-
SHA512
9eb7c0c4436db6c51d32d2f96c7a58e97679d41eb68cf9c7e5ac16623ba774c68bfb6a25c0741407af69fe615366dac23421627af4df423edaf840341872f722
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZM:0UzeyQMS4DqodCnoe+iitjWwwo
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3764 explorer.exe 3400 explorer.exe 3976 spoolsv.exe 4056 spoolsv.exe 3404 spoolsv.exe 4876 spoolsv.exe 4232 spoolsv.exe 3764 spoolsv.exe 3600 spoolsv.exe 3936 spoolsv.exe 1476 spoolsv.exe 316 spoolsv.exe 2740 spoolsv.exe 2508 spoolsv.exe 1140 spoolsv.exe 4932 spoolsv.exe 5096 spoolsv.exe 2736 spoolsv.exe 2156 spoolsv.exe 556 spoolsv.exe 4384 spoolsv.exe 2076 spoolsv.exe 3568 spoolsv.exe 2004 spoolsv.exe 4832 spoolsv.exe 3444 spoolsv.exe 5044 spoolsv.exe 3952 spoolsv.exe 2312 spoolsv.exe 2888 spoolsv.exe 3484 spoolsv.exe 3896 spoolsv.exe 3284 spoolsv.exe 3052 spoolsv.exe 3932 spoolsv.exe 2220 spoolsv.exe 4840 spoolsv.exe 2956 spoolsv.exe 2284 spoolsv.exe 4772 explorer.exe 1784 spoolsv.exe 540 spoolsv.exe 2180 spoolsv.exe 3836 spoolsv.exe 2464 spoolsv.exe 4048 spoolsv.exe 2144 spoolsv.exe 864 spoolsv.exe 4316 spoolsv.exe 4136 explorer.exe 4248 spoolsv.exe 2688 spoolsv.exe 1124 spoolsv.exe 1104 spoolsv.exe 4752 spoolsv.exe 1980 spoolsv.exe 1912 spoolsv.exe 1136 spoolsv.exe 208 spoolsv.exe 2128 explorer.exe 3580 spoolsv.exe 4088 spoolsv.exe 4896 spoolsv.exe 3688 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 58 IoCs
Processes:
a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 4488 set thread context of 3744 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe PID 3764 set thread context of 3400 3764 explorer.exe explorer.exe PID 3976 set thread context of 2284 3976 spoolsv.exe spoolsv.exe PID 4056 set thread context of 1784 4056 spoolsv.exe spoolsv.exe PID 3404 set thread context of 540 3404 spoolsv.exe spoolsv.exe PID 4876 set thread context of 2180 4876 spoolsv.exe spoolsv.exe PID 4232 set thread context of 3836 4232 spoolsv.exe spoolsv.exe PID 3764 set thread context of 2464 3764 spoolsv.exe spoolsv.exe PID 3600 set thread context of 4048 3600 spoolsv.exe spoolsv.exe PID 3936 set thread context of 864 3936 spoolsv.exe spoolsv.exe PID 1476 set thread context of 4316 1476 spoolsv.exe spoolsv.exe PID 316 set thread context of 4248 316 spoolsv.exe spoolsv.exe PID 2740 set thread context of 2688 2740 spoolsv.exe spoolsv.exe PID 2508 set thread context of 1124 2508 spoolsv.exe spoolsv.exe PID 1140 set thread context of 1104 1140 spoolsv.exe spoolsv.exe PID 4932 set thread context of 4752 4932 spoolsv.exe spoolsv.exe PID 5096 set thread context of 1980 5096 spoolsv.exe spoolsv.exe PID 2736 set thread context of 1912 2736 spoolsv.exe spoolsv.exe PID 2156 set thread context of 208 2156 spoolsv.exe spoolsv.exe PID 556 set thread context of 3580 556 spoolsv.exe spoolsv.exe PID 4384 set thread context of 4088 4384 spoolsv.exe spoolsv.exe PID 2076 set thread context of 4896 2076 spoolsv.exe spoolsv.exe PID 3568 set thread context of 3688 3568 spoolsv.exe spoolsv.exe PID 2004 set thread context of 2196 2004 spoolsv.exe spoolsv.exe PID 4832 set thread context of 1588 4832 spoolsv.exe spoolsv.exe PID 3444 set thread context of 3564 3444 spoolsv.exe spoolsv.exe PID 5044 set thread context of 3416 5044 spoolsv.exe spoolsv.exe PID 3952 set thread context of 4340 3952 spoolsv.exe spoolsv.exe PID 2312 set thread context of 1576 2312 spoolsv.exe spoolsv.exe PID 2888 set thread context of 4452 2888 spoolsv.exe spoolsv.exe PID 3484 set thread context of 3668 3484 spoolsv.exe spoolsv.exe PID 3896 set thread context of 4796 3896 spoolsv.exe spoolsv.exe PID 3284 set thread context of 1460 3284 spoolsv.exe spoolsv.exe PID 3052 set thread context of 1796 3052 spoolsv.exe spoolsv.exe PID 3932 set thread context of 3216 3932 spoolsv.exe spoolsv.exe PID 2220 set thread context of 2852 2220 spoolsv.exe spoolsv.exe PID 4840 set thread context of 3772 4840 spoolsv.exe spoolsv.exe PID 2956 set thread context of 864 2956 spoolsv.exe spoolsv.exe PID 4772 set thread context of 856 4772 explorer.exe explorer.exe PID 2144 set thread context of 880 2144 spoolsv.exe spoolsv.exe PID 4136 set thread context of 980 4136 explorer.exe explorer.exe PID 1136 set thread context of 644 1136 spoolsv.exe spoolsv.exe PID 2128 set thread context of 4296 2128 explorer.exe explorer.exe PID 1584 set thread context of 432 1584 spoolsv.exe spoolsv.exe PID 1400 set thread context of 2100 1400 explorer.exe explorer.exe PID 1568 set thread context of 4032 1568 spoolsv.exe spoolsv.exe PID 2316 set thread context of 1896 2316 explorer.exe explorer.exe PID 4304 set thread context of 796 4304 explorer.exe explorer.exe PID 3964 set thread context of 4644 3964 spoolsv.exe spoolsv.exe PID 2728 set thread context of 1964 2728 spoolsv.exe spoolsv.exe PID 936 set thread context of 3592 936 spoolsv.exe spoolsv.exe PID 5056 set thread context of 1004 5056 spoolsv.exe spoolsv.exe PID 4092 set thread context of 4404 4092 explorer.exe explorer.exe PID 4588 set thread context of 3908 4588 spoolsv.exe spoolsv.exe PID 4288 set thread context of 4220 4288 spoolsv.exe spoolsv.exe PID 2656 set thread context of 5048 2656 spoolsv.exe spoolsv.exe PID 4916 set thread context of 2400 4916 spoolsv.exe spoolsv.exe PID 3024 set thread context of 2040 3024 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exea08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exeexplorer.exepid process 3744 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe 3744 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3400 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3744 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe 3744 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 3400 explorer.exe 2284 spoolsv.exe 2284 spoolsv.exe 1784 spoolsv.exe 1784 spoolsv.exe 540 spoolsv.exe 540 spoolsv.exe 2180 spoolsv.exe 2180 spoolsv.exe 3836 spoolsv.exe 3836 spoolsv.exe 2464 spoolsv.exe 2464 spoolsv.exe 4048 spoolsv.exe 4048 spoolsv.exe 864 spoolsv.exe 864 spoolsv.exe 4316 spoolsv.exe 4316 spoolsv.exe 4248 spoolsv.exe 4248 spoolsv.exe 2688 spoolsv.exe 2688 spoolsv.exe 1124 spoolsv.exe 1124 spoolsv.exe 1104 spoolsv.exe 1104 spoolsv.exe 4752 spoolsv.exe 4752 spoolsv.exe 1980 spoolsv.exe 1980 spoolsv.exe 1912 spoolsv.exe 1912 spoolsv.exe 208 spoolsv.exe 208 spoolsv.exe 3580 spoolsv.exe 3580 spoolsv.exe 4088 spoolsv.exe 4088 spoolsv.exe 4896 spoolsv.exe 4896 spoolsv.exe 3688 spoolsv.exe 3688 spoolsv.exe 2196 spoolsv.exe 2196 spoolsv.exe 1588 spoolsv.exe 1588 spoolsv.exe 3564 spoolsv.exe 3564 spoolsv.exe 3416 spoolsv.exe 3416 spoolsv.exe 4340 spoolsv.exe 4340 spoolsv.exe 1576 spoolsv.exe 1576 spoolsv.exe 4452 spoolsv.exe 4452 spoolsv.exe 3668 spoolsv.exe 3668 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exea08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4488 wrote to memory of 1088 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe splwow64.exe PID 4488 wrote to memory of 1088 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe splwow64.exe PID 4488 wrote to memory of 3744 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe PID 4488 wrote to memory of 3744 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe PID 4488 wrote to memory of 3744 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe PID 4488 wrote to memory of 3744 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe PID 4488 wrote to memory of 3744 4488 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe PID 3744 wrote to memory of 3764 3744 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe explorer.exe PID 3744 wrote to memory of 3764 3744 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe explorer.exe PID 3744 wrote to memory of 3764 3744 a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe explorer.exe PID 3764 wrote to memory of 3400 3764 explorer.exe explorer.exe PID 3764 wrote to memory of 3400 3764 explorer.exe explorer.exe PID 3764 wrote to memory of 3400 3764 explorer.exe explorer.exe PID 3764 wrote to memory of 3400 3764 explorer.exe explorer.exe PID 3764 wrote to memory of 3400 3764 explorer.exe explorer.exe PID 3400 wrote to memory of 3976 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3976 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3976 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4056 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4056 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4056 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3404 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3404 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3404 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4876 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4876 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4876 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4232 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4232 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4232 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3764 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3764 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3764 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3600 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3600 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3600 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3936 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3936 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 3936 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 1476 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 1476 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 1476 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 316 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 316 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 316 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2740 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2740 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2740 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2508 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2508 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2508 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 1140 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 1140 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 1140 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4932 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4932 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 4932 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 5096 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 5096 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 5096 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2736 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2736 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2736 3400 explorer.exe spoolsv.exe PID 3400 wrote to memory of 2156 3400 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a08ecfbd9a3daff85553a4c0ce46ecea_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3976 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2284 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4772 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:856
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4056 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1784 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3836 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2464 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3600 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4048 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4316 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4136 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:980
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4248 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2508 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1124 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5096 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1980 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2156 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:208 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2128 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4088 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2196 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4832 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3564 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3416 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3952 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4340 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1576 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1400 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4452 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3668 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3052 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3216
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2316 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3772
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4304 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:864
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4092 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:880
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:644
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:432
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4032
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3964 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1964
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3592
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2292 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:5056 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1004
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4288 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4220
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:3024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2040
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1188 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2872 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4356 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2900
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1908 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4024 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1644 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4432 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1556
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD57e3aa8ed724ba16246dc6ee1413bd551
SHA19a16b35d9821be6a022fe255fbe073977ad61627
SHA256c183f29b9ceb1bd339578b2651c65362a0a1624172c7635a56747dac171be493
SHA5129a4d6c095b235ddd70a3d9a1fcd86eb79ce24846fbe46c8108dad1784fc363564048bf5a5519890257a5943c315175ad869e0b82fda04ee66e0a97cd13ffa8f9
-
Filesize
2.2MB
MD51996507168c8c37a6b488ef701b93359
SHA1c405b14c8e26dae77b3e6caff1bafc77105c2c9a
SHA256b85437838138892f3be2b94b906d54013d3a82bed69b830c04e34edc262fa49e
SHA512960b73ad21a96bf4844de1eadb262c450b9a98cf34cc1df8e87b024bf449a9402fafabb94edd52eb9a7abdfd66ea2098e0d22682f24fbee4d3e47990d08495f6