Analysis
-
max time kernel
126s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:52
Behavioral task
behavioral1
Sample
a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0e51b547ddfbed5dae19588c75672b6
-
SHA1
e607979b3710e4b66e268f9df757fec8ccf450b0
-
SHA256
1b154f00dd58a78b40eb447fa0fb46f352985f804a90abb2e65c3900f8838a72
-
SHA512
84d10bda551553b279873d8e822a4461779ea0d23c36375bb6224293cbaefc47be28531157c2518c87b8057219c5eec0cbb9937b93941e16f1e3fd3ee7b1f000
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZt:0UzeyQMS4DqodCnoe+iitjWwwp
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4776 explorer.exe 4536 explorer.exe 3572 spoolsv.exe 5024 spoolsv.exe 3136 spoolsv.exe 4944 spoolsv.exe 688 spoolsv.exe 3428 spoolsv.exe 4352 spoolsv.exe 4800 spoolsv.exe 1740 spoolsv.exe 4184 spoolsv.exe 2176 spoolsv.exe 2404 spoolsv.exe 2624 spoolsv.exe 748 spoolsv.exe 1528 spoolsv.exe 4696 spoolsv.exe 1252 spoolsv.exe 2112 spoolsv.exe 1296 spoolsv.exe 3988 spoolsv.exe 800 spoolsv.exe 1448 spoolsv.exe 4564 spoolsv.exe 3368 spoolsv.exe 3244 spoolsv.exe 2912 spoolsv.exe 3084 spoolsv.exe 4068 spoolsv.exe 4576 spoolsv.exe 1320 spoolsv.exe 3716 spoolsv.exe 3312 spoolsv.exe 1096 spoolsv.exe 4196 spoolsv.exe 4232 spoolsv.exe 2080 explorer.exe 3388 spoolsv.exe 3588 spoolsv.exe 4476 spoolsv.exe 4436 spoolsv.exe 2620 spoolsv.exe 3060 spoolsv.exe 4228 spoolsv.exe 5032 spoolsv.exe 1624 explorer.exe 4076 spoolsv.exe 4896 spoolsv.exe 1660 spoolsv.exe 4056 spoolsv.exe 1444 spoolsv.exe 2024 spoolsv.exe 5028 explorer.exe 1016 spoolsv.exe 4980 spoolsv.exe 4584 spoolsv.exe 1620 spoolsv.exe 2288 spoolsv.exe 2836 explorer.exe 2052 spoolsv.exe 400 spoolsv.exe 2152 spoolsv.exe 4100 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 42 IoCs
Processes:
a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 1536 set thread context of 1976 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe PID 4776 set thread context of 4536 4776 explorer.exe explorer.exe PID 3572 set thread context of 4232 3572 spoolsv.exe spoolsv.exe PID 5024 set thread context of 3388 5024 spoolsv.exe spoolsv.exe PID 3136 set thread context of 3588 3136 spoolsv.exe spoolsv.exe PID 4944 set thread context of 4476 4944 spoolsv.exe spoolsv.exe PID 688 set thread context of 4436 688 spoolsv.exe spoolsv.exe PID 3428 set thread context of 2620 3428 spoolsv.exe spoolsv.exe PID 4352 set thread context of 4228 4352 spoolsv.exe spoolsv.exe PID 4800 set thread context of 5032 4800 spoolsv.exe spoolsv.exe PID 1740 set thread context of 4076 1740 spoolsv.exe spoolsv.exe PID 4184 set thread context of 1660 4184 spoolsv.exe spoolsv.exe PID 2176 set thread context of 4056 2176 spoolsv.exe spoolsv.exe PID 2404 set thread context of 1444 2404 spoolsv.exe spoolsv.exe PID 2624 set thread context of 2024 2624 spoolsv.exe spoolsv.exe PID 748 set thread context of 1016 748 spoolsv.exe spoolsv.exe PID 1528 set thread context of 4584 1528 spoolsv.exe spoolsv.exe PID 4696 set thread context of 1620 4696 spoolsv.exe spoolsv.exe PID 1252 set thread context of 2288 1252 spoolsv.exe spoolsv.exe PID 2112 set thread context of 2052 2112 spoolsv.exe spoolsv.exe PID 1296 set thread context of 2152 1296 spoolsv.exe spoolsv.exe PID 3988 set thread context of 4100 3988 spoolsv.exe spoolsv.exe PID 800 set thread context of 1540 800 spoolsv.exe spoolsv.exe PID 1448 set thread context of 3820 1448 spoolsv.exe spoolsv.exe PID 4564 set thread context of 5004 4564 spoolsv.exe spoolsv.exe PID 3368 set thread context of 332 3368 spoolsv.exe spoolsv.exe PID 3244 set thread context of 3200 3244 spoolsv.exe spoolsv.exe PID 2912 set thread context of 2044 2912 spoolsv.exe spoolsv.exe PID 3084 set thread context of 4488 3084 spoolsv.exe spoolsv.exe PID 4068 set thread context of 2804 4068 spoolsv.exe spoolsv.exe PID 4576 set thread context of 3560 4576 spoolsv.exe spoolsv.exe PID 1320 set thread context of 2808 1320 spoolsv.exe spoolsv.exe PID 3716 set thread context of 1540 3716 spoolsv.exe spoolsv.exe PID 3312 set thread context of 4148 3312 spoolsv.exe spoolsv.exe PID 1096 set thread context of 2172 1096 spoolsv.exe spoolsv.exe PID 4196 set thread context of 3120 4196 spoolsv.exe spoolsv.exe PID 2080 set thread context of 1340 2080 explorer.exe explorer.exe PID 3060 set thread context of 1896 3060 spoolsv.exe spoolsv.exe PID 1624 set thread context of 3408 1624 explorer.exe explorer.exe PID 4896 set thread context of 3068 4896 spoolsv.exe spoolsv.exe PID 5028 set thread context of 1636 5028 explorer.exe explorer.exe PID 4980 set thread context of 3212 4980 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exea0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exeexplorer.exepid process 1976 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe 1976 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4536 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1976 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe 1976 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4536 explorer.exe 4232 spoolsv.exe 4232 spoolsv.exe 3388 spoolsv.exe 3388 spoolsv.exe 3588 spoolsv.exe 3588 spoolsv.exe 4476 spoolsv.exe 4476 spoolsv.exe 4436 spoolsv.exe 4436 spoolsv.exe 2620 spoolsv.exe 2620 spoolsv.exe 4228 spoolsv.exe 4228 spoolsv.exe 5032 spoolsv.exe 5032 spoolsv.exe 4076 spoolsv.exe 4076 spoolsv.exe 1660 spoolsv.exe 1660 spoolsv.exe 4056 spoolsv.exe 4056 spoolsv.exe 1444 spoolsv.exe 1444 spoolsv.exe 2024 spoolsv.exe 2024 spoolsv.exe 1016 spoolsv.exe 1016 spoolsv.exe 4584 spoolsv.exe 4584 spoolsv.exe 1620 spoolsv.exe 1620 spoolsv.exe 2288 spoolsv.exe 2288 spoolsv.exe 2052 spoolsv.exe 2052 spoolsv.exe 2152 spoolsv.exe 2152 spoolsv.exe 4100 spoolsv.exe 4100 spoolsv.exe 1540 spoolsv.exe 1540 spoolsv.exe 3820 spoolsv.exe 3820 spoolsv.exe 5004 spoolsv.exe 5004 spoolsv.exe 332 spoolsv.exe 332 spoolsv.exe 3200 spoolsv.exe 3200 spoolsv.exe 2044 spoolsv.exe 2044 spoolsv.exe 4488 spoolsv.exe 4488 spoolsv.exe 2804 spoolsv.exe 2804 spoolsv.exe 3560 spoolsv.exe 3560 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exea0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1536 wrote to memory of 2424 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe splwow64.exe PID 1536 wrote to memory of 2424 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe splwow64.exe PID 1536 wrote to memory of 1976 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe PID 1536 wrote to memory of 1976 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe PID 1536 wrote to memory of 1976 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe PID 1536 wrote to memory of 1976 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe PID 1536 wrote to memory of 1976 1536 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe PID 1976 wrote to memory of 4776 1976 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe explorer.exe PID 1976 wrote to memory of 4776 1976 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe explorer.exe PID 1976 wrote to memory of 4776 1976 a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe explorer.exe PID 4776 wrote to memory of 4536 4776 explorer.exe explorer.exe PID 4776 wrote to memory of 4536 4776 explorer.exe explorer.exe PID 4776 wrote to memory of 4536 4776 explorer.exe explorer.exe PID 4776 wrote to memory of 4536 4776 explorer.exe explorer.exe PID 4776 wrote to memory of 4536 4776 explorer.exe explorer.exe PID 4536 wrote to memory of 3572 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3572 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3572 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 5024 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 5024 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 5024 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3136 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3136 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3136 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4944 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4944 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4944 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 688 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 688 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 688 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3428 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3428 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 3428 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4352 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4352 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4352 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4800 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4800 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4800 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 1740 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 1740 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 1740 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4184 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4184 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4184 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2176 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2176 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2176 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2404 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2404 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2404 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2624 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2624 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 2624 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 748 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 748 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 748 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 1528 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 1528 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 1528 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4696 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4696 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 4696 4536 explorer.exe spoolsv.exe PID 4536 wrote to memory of 1252 4536 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0e51b547ddfbed5dae19588c75672b6_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4232 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2080 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1340
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4476 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4436 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3428 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5032 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1624 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1660 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1444 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5028 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:748 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4584 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1252 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2288 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2836 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2112 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2152 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4100 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1448 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3820 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4564 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5004 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4688
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1160
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:332 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3200 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2044 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4488 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5100 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2804 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3560 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1320 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1096 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2172
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2040 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3120
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4608 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:6104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1896
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:628 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4792
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3068
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4176 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3212
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4676
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5036
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4592
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5344
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5512
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6108
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4508
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3844 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5660
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3856
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5748
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5136
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4812
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4152
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:100 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3128 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5096 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:216 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4200 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4840
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2304
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5308
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6096
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5cbdb6c3426da9e127a6562052f3e1840
SHA1a53661fe815a862c92250687ede6155ec3257f8c
SHA256e697f639cbc1e92b8556b4940eb0d4379ba832abc4bd3c73a801f655b7ba832d
SHA512d7f4dfa87f8b35103560ec612c976d040aef9f1adc1a5440e5c3dd04e407ef479954aaf8c9c6e8bae6642217f11a1832dc44d02248b92d266c4df0bb3eb50734
-
Filesize
2.2MB
MD50770f3d8c950fa19fe68ce4aef5a83a2
SHA1a6fc847dc4314e04fd10d917648015bf0efbbe04
SHA256221262e87d1b9d92307248834111f2efe110e44fc108c4d1350e9b54b4d4735b
SHA5122b953fe170b4c7ce5935a93519fd52ed6883244a92ba2d65ccb0938dc71724de36d940f23cde99fa65530e2f8d5a800f3156bcf8be55be091dffc1f00f828dad