Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 12:43
Behavioral task
behavioral1
Sample
a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0b53809a67e109d4941ee618654b364
-
SHA1
c2da1461e481870af9352326059539da2675f76e
-
SHA256
922824a0b92488a2e6ebea3366d226d00f47565b2eda929ee9e76e1ee0938976
-
SHA512
78fe5d394c07856a7b3758ff5b11df6de06986a67307d299eaec0391fe7af39fc0475cb3a5de58b240ccc57c307514aec4a409b0b16e650841b90e35ecd88d13
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZz:0UzeyQMS4DqodCnoe+iitjWww/
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0b53809a67e109d4941ee618654b364_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 3576 explorer.exe 1704 explorer.exe 4776 spoolsv.exe 4196 spoolsv.exe 1780 spoolsv.exe 1072 spoolsv.exe 1740 spoolsv.exe 4588 spoolsv.exe 3264 spoolsv.exe 4288 spoolsv.exe 3052 spoolsv.exe 544 spoolsv.exe 2152 spoolsv.exe 1120 spoolsv.exe 784 spoolsv.exe 3472 spoolsv.exe 1732 spoolsv.exe 3292 spoolsv.exe 1480 spoolsv.exe 1596 spoolsv.exe 2156 spoolsv.exe 1028 spoolsv.exe 704 spoolsv.exe 744 spoolsv.exe 2340 spoolsv.exe 4964 spoolsv.exe 876 spoolsv.exe 1608 spoolsv.exe 4356 spoolsv.exe 1696 spoolsv.exe 5312 spoolsv.exe 5680 spoolsv.exe 5756 spoolsv.exe 5796 explorer.exe 5852 spoolsv.exe 6092 spoolsv.exe 5252 spoolsv.exe 5372 spoolsv.exe 5668 spoolsv.exe 5788 explorer.exe 5824 spoolsv.exe 5904 spoolsv.exe 5976 spoolsv.exe 5320 spoolsv.exe 1572 spoolsv.exe 5468 spoolsv.exe 4532 spoolsv.exe 3484 explorer.exe 1404 spoolsv.exe 5956 spoolsv.exe 5204 spoolsv.exe 5268 spoolsv.exe 5328 spoolsv.exe 5380 spoolsv.exe 5576 spoolsv.exe 5548 explorer.exe 5716 spoolsv.exe 2608 spoolsv.exe 6040 spoolsv.exe 5180 spoolsv.exe 1132 spoolsv.exe 5412 spoolsv.exe 696 explorer.exe 5560 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 48 IoCs
Processes:
a0b53809a67e109d4941ee618654b364_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 4020 set thread context of 984 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe PID 3576 set thread context of 1704 3576 explorer.exe explorer.exe PID 4776 set thread context of 5756 4776 spoolsv.exe spoolsv.exe PID 4196 set thread context of 5852 4196 spoolsv.exe spoolsv.exe PID 1780 set thread context of 5252 1780 spoolsv.exe spoolsv.exe PID 1072 set thread context of 5372 1072 spoolsv.exe spoolsv.exe PID 1740 set thread context of 5668 1740 spoolsv.exe spoolsv.exe PID 4588 set thread context of 5824 4588 spoolsv.exe spoolsv.exe PID 3264 set thread context of 5904 3264 spoolsv.exe spoolsv.exe PID 4288 set thread context of 5976 4288 spoolsv.exe spoolsv.exe PID 3052 set thread context of 1572 3052 spoolsv.exe spoolsv.exe PID 544 set thread context of 5468 544 spoolsv.exe spoolsv.exe PID 2152 set thread context of 4532 2152 spoolsv.exe spoolsv.exe PID 1120 set thread context of 1404 1120 spoolsv.exe spoolsv.exe PID 784 set thread context of 5956 784 spoolsv.exe spoolsv.exe PID 3472 set thread context of 5268 3472 spoolsv.exe spoolsv.exe PID 1732 set thread context of 5328 1732 spoolsv.exe spoolsv.exe PID 3292 set thread context of 5380 3292 spoolsv.exe spoolsv.exe PID 1480 set thread context of 5576 1480 spoolsv.exe spoolsv.exe PID 1596 set thread context of 5716 1596 spoolsv.exe spoolsv.exe PID 2156 set thread context of 2608 2156 spoolsv.exe spoolsv.exe PID 1028 set thread context of 5180 1028 spoolsv.exe spoolsv.exe PID 704 set thread context of 1132 704 spoolsv.exe spoolsv.exe PID 744 set thread context of 5412 744 spoolsv.exe spoolsv.exe PID 2340 set thread context of 5560 2340 spoolsv.exe spoolsv.exe PID 4964 set thread context of 1140 4964 spoolsv.exe spoolsv.exe PID 876 set thread context of 6020 876 spoolsv.exe spoolsv.exe PID 1608 set thread context of 6044 1608 spoolsv.exe spoolsv.exe PID 4356 set thread context of 3764 4356 spoolsv.exe spoolsv.exe PID 1696 set thread context of 4480 1696 spoolsv.exe spoolsv.exe PID 5312 set thread context of 5592 5312 spoolsv.exe spoolsv.exe PID 5680 set thread context of 2408 5680 spoolsv.exe spoolsv.exe PID 5796 set thread context of 1928 5796 explorer.exe explorer.exe PID 6092 set thread context of 4072 6092 spoolsv.exe spoolsv.exe PID 5788 set thread context of 4720 5788 explorer.exe explorer.exe PID 5320 set thread context of 5400 5320 spoolsv.exe spoolsv.exe PID 3484 set thread context of 5408 3484 explorer.exe explorer.exe PID 5204 set thread context of 4720 5204 spoolsv.exe spoolsv.exe PID 5548 set thread context of 1520 5548 explorer.exe explorer.exe PID 6040 set thread context of 6076 6040 spoolsv.exe spoolsv.exe PID 696 set thread context of 2900 696 explorer.exe explorer.exe PID 2376 set thread context of 3172 2376 spoolsv.exe spoolsv.exe PID 408 set thread context of 2768 408 spoolsv.exe spoolsv.exe PID 3676 set thread context of 4292 3676 explorer.exe explorer.exe PID 3852 set thread context of 1584 3852 spoolsv.exe spoolsv.exe PID 6080 set thread context of 928 6080 spoolsv.exe spoolsv.exe PID 4408 set thread context of 4680 4408 explorer.exe explorer.exe PID 5464 set thread context of 5800 5464 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea0b53809a67e109d4941ee618654b364_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exea0b53809a67e109d4941ee618654b364_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0b53809a67e109d4941ee618654b364_JaffaCakes118.exeexplorer.exepid process 984 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe 984 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1704 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0b53809a67e109d4941ee618654b364_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 984 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe 984 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 5756 spoolsv.exe 5756 spoolsv.exe 5852 spoolsv.exe 5852 spoolsv.exe 5252 spoolsv.exe 5252 spoolsv.exe 5372 spoolsv.exe 5372 spoolsv.exe 5668 spoolsv.exe 5668 spoolsv.exe 5824 spoolsv.exe 5824 spoolsv.exe 5904 spoolsv.exe 5904 spoolsv.exe 5976 spoolsv.exe 5976 spoolsv.exe 1572 spoolsv.exe 1572 spoolsv.exe 5468 spoolsv.exe 5468 spoolsv.exe 4532 spoolsv.exe 4532 spoolsv.exe 1404 spoolsv.exe 1404 spoolsv.exe 5956 spoolsv.exe 5956 spoolsv.exe 5268 spoolsv.exe 5268 spoolsv.exe 5328 spoolsv.exe 5328 spoolsv.exe 5380 spoolsv.exe 5380 spoolsv.exe 5576 spoolsv.exe 5576 spoolsv.exe 5716 spoolsv.exe 5716 spoolsv.exe 2608 spoolsv.exe 2608 spoolsv.exe 5180 spoolsv.exe 5180 spoolsv.exe 1132 spoolsv.exe 1132 spoolsv.exe 5412 spoolsv.exe 5412 spoolsv.exe 5560 spoolsv.exe 5560 spoolsv.exe 1140 spoolsv.exe 1140 spoolsv.exe 6020 spoolsv.exe 6020 spoolsv.exe 6044 spoolsv.exe 6044 spoolsv.exe 3764 spoolsv.exe 3764 spoolsv.exe 4480 spoolsv.exe 4480 spoolsv.exe 5592 spoolsv.exe 5592 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0b53809a67e109d4941ee618654b364_JaffaCakes118.exea0b53809a67e109d4941ee618654b364_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4020 wrote to memory of 5076 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe splwow64.exe PID 4020 wrote to memory of 5076 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe splwow64.exe PID 4020 wrote to memory of 984 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe PID 4020 wrote to memory of 984 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe PID 4020 wrote to memory of 984 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe PID 4020 wrote to memory of 984 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe PID 4020 wrote to memory of 984 4020 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe PID 984 wrote to memory of 3576 984 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe explorer.exe PID 984 wrote to memory of 3576 984 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe explorer.exe PID 984 wrote to memory of 3576 984 a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe explorer.exe PID 3576 wrote to memory of 1704 3576 explorer.exe explorer.exe PID 3576 wrote to memory of 1704 3576 explorer.exe explorer.exe PID 3576 wrote to memory of 1704 3576 explorer.exe explorer.exe PID 3576 wrote to memory of 1704 3576 explorer.exe explorer.exe PID 3576 wrote to memory of 1704 3576 explorer.exe explorer.exe PID 1704 wrote to memory of 4776 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4776 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4776 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4196 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4196 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4196 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1780 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1780 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1780 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1072 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1072 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1072 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1740 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1740 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1740 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4588 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4588 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4588 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3264 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3264 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3264 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4288 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4288 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 4288 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3052 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3052 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3052 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 544 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 544 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 544 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 2152 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 2152 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 2152 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1120 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1120 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1120 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 784 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 784 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 784 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3472 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3472 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3472 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1732 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1732 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1732 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3292 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3292 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 3292 1704 explorer.exe spoolsv.exe PID 1704 wrote to memory of 1480 1704 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0b53809a67e109d4941ee618654b364_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4776 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5756 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5796 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1780 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5252 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1072 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5668 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5788 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4720
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5904 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4288 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5976 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3052 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5468 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4532 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3484 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1120 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1404 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5380 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5576 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5548 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1520
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5716 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2156 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:744 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5412 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:696 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2900
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2340 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5560 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4964 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:6020 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:6044 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3764 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:3676 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4292
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4480 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2408
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4408 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4072
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3820 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4956
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5320 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5400
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5204 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4720
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5820 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6076
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2376 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3172
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3852 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1584
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5272 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5800
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6024
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5172
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5840
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:812
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5500
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4420
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4836 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5356 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1376 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5816 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5264
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:81⤵PID:4460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5a86029174f2128d9f83219f0cdf94d8d
SHA11f63b1d8db48abf12a644ef25df1ba79a62aee60
SHA25689bff4fe40bbed5bc8c4ce469c1a47a2506ac6b29e81e4dde8eee222e46610d6
SHA5126bdc2dd9ec3c0573170bf3c8ce3a5cd56e7143ba7fb9a73a3b2107be830d6548378d5ec8ed460a878ac62e9f68c860d162fa398cfc7ff82c89311535b487e243
-
Filesize
2.2MB
MD5a86001ab8ff0448c53779f1e6f7efc55
SHA1bc65537a809b64787660986366475b626aeed1ee
SHA256fc5bdcda0b47ac4785188388edbbcba199e49f95c826d7a2c47720cf68404353
SHA5128c0d37b886f0e9a86b6c88df20b35e295d03f5c43bdea4d511f005c8d4dfcb6ef15288842619c47d8e0aacde247916510bb53a9ab425009066d726fe6a1526fd