Analysis
-
max time kernel
149s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 11:50
Behavioral task
behavioral1
Sample
a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a090e350a3f45c27219fb30ce20257c3
-
SHA1
6d9c1e304f0d86ee1a82268be560b5844ff7a00c
-
SHA256
34800b5dcd88f10a3818f7ea58f55d9230b06437aa4c8d494b11691864cd0284
-
SHA512
196704d8e917f7826108891542c20ad120e270dd2f92adceb43499ecb761d8bfdc29afea04f767db7433d61393bdc650d7a4cffca5314827ed8dbfed84a402f9
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwq
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exepid process 1652 explorer.exe 1044 explorer.exe 4628 spoolsv.exe 3096 spoolsv.exe 2000 spoolsv.exe 3328 spoolsv.exe 1452 spoolsv.exe 1520 spoolsv.exe 4932 spoolsv.exe 5052 spoolsv.exe 1616 spoolsv.exe 2160 spoolsv.exe 3020 spoolsv.exe 3716 spoolsv.exe 3592 spoolsv.exe 2144 spoolsv.exe 3196 spoolsv.exe 5096 spoolsv.exe 4784 spoolsv.exe 1408 spoolsv.exe 2652 spoolsv.exe 3316 spoolsv.exe 4108 spoolsv.exe 2284 spoolsv.exe 1048 spoolsv.exe 3100 spoolsv.exe 2452 spoolsv.exe 4664 spoolsv.exe 3504 spoolsv.exe 5100 spoolsv.exe 4300 spoolsv.exe 4580 spoolsv.exe 4048 spoolsv.exe 1588 explorer.exe 3536 spoolsv.exe 3452 spoolsv.exe 2036 spoolsv.exe 4760 spoolsv.exe 3576 spoolsv.exe 3192 spoolsv.exe 1904 spoolsv.exe 4972 explorer.exe 3884 spoolsv.exe 3792 spoolsv.exe 432 spoolsv.exe 2064 spoolsv.exe 1768 spoolsv.exe 4364 spoolsv.exe 4788 spoolsv.exe 2472 explorer.exe 764 spoolsv.exe 4524 spoolsv.exe 1644 spoolsv.exe 4652 spoolsv.exe 3740 spoolsv.exe 3664 explorer.exe 4816 spoolsv.exe 1164 spoolsv.exe 3076 spoolsv.exe 5012 spoolsv.exe 1108 spoolsv.exe 644 explorer.exe 4568 spoolsv.exe 2544 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
Processes:
a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exedescription pid process target process PID 4636 set thread context of 2944 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe PID 1652 set thread context of 1044 1652 explorer.exe explorer.exe PID 4628 set thread context of 4048 4628 spoolsv.exe spoolsv.exe PID 3096 set thread context of 3536 3096 spoolsv.exe spoolsv.exe PID 2000 set thread context of 3452 2000 spoolsv.exe spoolsv.exe PID 3328 set thread context of 2036 3328 spoolsv.exe spoolsv.exe PID 1452 set thread context of 3576 1452 spoolsv.exe spoolsv.exe PID 1520 set thread context of 3192 1520 spoolsv.exe spoolsv.exe PID 4932 set thread context of 1904 4932 spoolsv.exe spoolsv.exe PID 5052 set thread context of 3884 5052 spoolsv.exe spoolsv.exe PID 1616 set thread context of 432 1616 spoolsv.exe spoolsv.exe PID 2160 set thread context of 2064 2160 spoolsv.exe spoolsv.exe PID 3020 set thread context of 4364 3020 spoolsv.exe spoolsv.exe PID 3716 set thread context of 4788 3716 spoolsv.exe spoolsv.exe PID 3592 set thread context of 764 3592 spoolsv.exe spoolsv.exe PID 2144 set thread context of 4524 2144 spoolsv.exe spoolsv.exe PID 3196 set thread context of 4652 3196 spoolsv.exe spoolsv.exe PID 5096 set thread context of 3740 5096 spoolsv.exe spoolsv.exe PID 4784 set thread context of 4816 4784 spoolsv.exe spoolsv.exe PID 1408 set thread context of 1164 1408 spoolsv.exe spoolsv.exe PID 2652 set thread context of 5012 2652 spoolsv.exe spoolsv.exe PID 3316 set thread context of 1108 3316 spoolsv.exe spoolsv.exe PID 4108 set thread context of 4568 4108 spoolsv.exe spoolsv.exe PID 2284 set thread context of 2544 2284 spoolsv.exe spoolsv.exe PID 1048 set thread context of 1500 1048 spoolsv.exe spoolsv.exe PID 3100 set thread context of 2488 3100 spoolsv.exe spoolsv.exe PID 2452 set thread context of 4656 2452 spoolsv.exe spoolsv.exe PID 4664 set thread context of 3960 4664 spoolsv.exe spoolsv.exe PID 3504 set thread context of 2220 3504 spoolsv.exe spoolsv.exe PID 5100 set thread context of 4720 5100 spoolsv.exe spoolsv.exe PID 4300 set thread context of 392 4300 spoolsv.exe spoolsv.exe PID 4580 set thread context of 3728 4580 spoolsv.exe spoolsv.exe PID 1588 set thread context of 3164 1588 explorer.exe explorer.exe PID 4760 set thread context of 2828 4760 spoolsv.exe spoolsv.exe PID 3792 set thread context of 4500 3792 spoolsv.exe spoolsv.exe PID 4972 set thread context of 4548 4972 explorer.exe explorer.exe PID 1768 set thread context of 4464 1768 spoolsv.exe spoolsv.exe PID 2472 set thread context of 3696 2472 explorer.exe explorer.exe PID 1644 set thread context of 552 1644 spoolsv.exe spoolsv.exe PID 3664 set thread context of 2332 3664 explorer.exe explorer.exe PID 3076 set thread context of 1792 3076 spoolsv.exe spoolsv.exe PID 644 set thread context of 1680 644 explorer.exe explorer.exe PID 1620 set thread context of 3652 1620 spoolsv.exe spoolsv.exe PID 624 set thread context of 3232 624 explorer.exe explorer.exe PID 2916 set thread context of 388 2916 spoolsv.exe spoolsv.exe PID 1788 set thread context of 4828 1788 explorer.exe explorer.exe PID 4680 set thread context of 4536 4680 spoolsv.exe spoolsv.exe PID 4276 set thread context of 512 4276 spoolsv.exe spoolsv.exe PID 116 set thread context of 2368 116 spoolsv.exe spoolsv.exe PID 2936 set thread context of 3596 2936 explorer.exe explorer.exe PID 2864 set thread context of 4960 2864 spoolsv.exe spoolsv.exe PID 4752 set thread context of 4636 4752 explorer.exe explorer.exe PID 4376 set thread context of 4756 4376 spoolsv.exe spoolsv.exe PID 1952 set thread context of 1968 1952 spoolsv.exe spoolsv.exe PID 3896 set thread context of 3752 3896 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exea090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exea090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exeexplorer.exepid process 2944 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe 2944 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1044 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2944 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe 2944 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 1044 explorer.exe 4048 spoolsv.exe 4048 spoolsv.exe 3536 spoolsv.exe 3536 spoolsv.exe 3452 spoolsv.exe 3452 spoolsv.exe 2036 spoolsv.exe 2036 spoolsv.exe 3576 spoolsv.exe 3576 spoolsv.exe 3192 spoolsv.exe 3192 spoolsv.exe 1904 spoolsv.exe 1904 spoolsv.exe 3884 spoolsv.exe 3884 spoolsv.exe 432 spoolsv.exe 432 spoolsv.exe 2064 spoolsv.exe 2064 spoolsv.exe 4364 spoolsv.exe 4364 spoolsv.exe 4788 spoolsv.exe 4788 spoolsv.exe 764 spoolsv.exe 764 spoolsv.exe 4524 spoolsv.exe 4524 spoolsv.exe 4652 spoolsv.exe 4652 spoolsv.exe 3740 spoolsv.exe 3740 spoolsv.exe 4816 spoolsv.exe 4816 spoolsv.exe 1164 spoolsv.exe 1164 spoolsv.exe 5012 spoolsv.exe 5012 spoolsv.exe 1108 spoolsv.exe 1108 spoolsv.exe 4568 spoolsv.exe 4568 spoolsv.exe 2544 spoolsv.exe 2544 spoolsv.exe 1500 spoolsv.exe 1500 spoolsv.exe 2488 spoolsv.exe 2488 spoolsv.exe 4656 spoolsv.exe 4656 spoolsv.exe 3960 spoolsv.exe 3960 spoolsv.exe 2220 spoolsv.exe 2220 spoolsv.exe 4720 spoolsv.exe 4720 spoolsv.exe 392 spoolsv.exe 392 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exea090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4636 wrote to memory of 2644 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe splwow64.exe PID 4636 wrote to memory of 2644 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe splwow64.exe PID 4636 wrote to memory of 2944 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe PID 4636 wrote to memory of 2944 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe PID 4636 wrote to memory of 2944 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe PID 4636 wrote to memory of 2944 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe PID 4636 wrote to memory of 2944 4636 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe PID 2944 wrote to memory of 1652 2944 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 1652 2944 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe explorer.exe PID 2944 wrote to memory of 1652 2944 a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe explorer.exe PID 1652 wrote to memory of 1044 1652 explorer.exe explorer.exe PID 1652 wrote to memory of 1044 1652 explorer.exe explorer.exe PID 1652 wrote to memory of 1044 1652 explorer.exe explorer.exe PID 1652 wrote to memory of 1044 1652 explorer.exe explorer.exe PID 1652 wrote to memory of 1044 1652 explorer.exe explorer.exe PID 1044 wrote to memory of 4628 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 4628 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 4628 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3096 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3096 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3096 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2000 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2000 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2000 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3328 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3328 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3328 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1452 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1452 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1452 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1520 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1520 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1520 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 4932 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 4932 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 4932 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 5052 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 5052 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 5052 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1616 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1616 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 1616 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2160 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2160 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2160 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3020 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3020 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3020 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3716 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3716 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3716 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3592 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3592 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3592 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2144 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2144 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 2144 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3196 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3196 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 3196 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 5096 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 5096 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 5096 1044 explorer.exe spoolsv.exe PID 1044 wrote to memory of 4784 1044 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a090e350a3f45c27219fb30ce20257c3_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4048 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1588 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3096 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3452 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1452 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1520 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4972 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4548
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5052 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:432 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2064 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4364 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4788 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2472 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4524 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5096 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3740 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3664 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4816 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1108 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:644 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1500 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:624 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2452 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4656 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3960 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4720 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1788 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4300 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4580 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3728
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:2936 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3596
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2828
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4752 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4500
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3896 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4464
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3452 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:552
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1148 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1792
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3024 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1620 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3652
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2664
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:388
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4536
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4276 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:512
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2368
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4996
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2316
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4376 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1952 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1968
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:980 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2304
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1216 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4320 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1532 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1684 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4632
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5e4adfeb7b1f556ddd3493eccd6d0ad6f
SHA1108ad74672239cf2823fc61eab68f058aec68885
SHA2563be04af43011742a1061457103b451a8c0b60551fd233c357dbcfd3c228bf3c8
SHA512a94ac703fce57d36293ff446c4a4b20235952b24251cf71a93c834fd1e69fb15370e0f6566b23eae5dcc0b84208380403b02124f1b577320a25cfc40b745f22c
-
Filesize
2.2MB
MD529a0d513ed0b695865d312e727d76a49
SHA1a288c6de51a58bd3079cd073475b18e2521006cd
SHA256207f0f4c539800fab14ea5f5a41c5bf3372b164fbea80048e8ad0b4d8739d57e
SHA5127cc62b3317a39f19037f71e7f8eac7ce319aa0f64de4e0ea067a7155efa7eb21fa42711e0ae4bdd17c033bd49ed4fa6b44ef14599a884cd2a8b93fe3cfcdd4f9