Analysis
-
max time kernel
148s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:19
Behavioral task
behavioral1
Sample
a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0ce184b5de26ba2cf743514cd8cd70a
-
SHA1
87a1cccf5b566f4e6e789f0f00ac2a2f48b17a9d
-
SHA256
13dc4cef9195c5b13f08596f0b50b81a0dbe49255c7e4ba51705c8a68964dacc
-
SHA512
b6bea7853849d5b65eee49b5138bcbee963fca7fb2fe3680a66313ea82735e13cb4eff7e11763ead939fda45948b014ae1d685aa88457421dc3e6f19bb1fb57f
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwwc
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exepid process 4668 explorer.exe 1792 explorer.exe 1376 spoolsv.exe 3632 spoolsv.exe 4876 spoolsv.exe 2028 spoolsv.exe 2856 spoolsv.exe 4260 spoolsv.exe 2752 spoolsv.exe 64 spoolsv.exe 2992 spoolsv.exe 4280 spoolsv.exe 2180 spoolsv.exe 3772 spoolsv.exe 1696 spoolsv.exe 4520 spoolsv.exe 984 spoolsv.exe 888 spoolsv.exe 4872 spoolsv.exe 1576 spoolsv.exe 456 spoolsv.exe 3980 spoolsv.exe 3208 spoolsv.exe 5116 spoolsv.exe 5092 spoolsv.exe 4984 spoolsv.exe 2332 spoolsv.exe 3896 spoolsv.exe 2296 spoolsv.exe 1284 spoolsv.exe 3244 spoolsv.exe 432 spoolsv.exe 3168 spoolsv.exe 3788 explorer.exe 4900 spoolsv.exe 2132 spoolsv.exe 396 spoolsv.exe 952 spoolsv.exe 1888 spoolsv.exe 3220 spoolsv.exe 404 spoolsv.exe 1804 explorer.exe 2820 spoolsv.exe 3196 spoolsv.exe 656 spoolsv.exe 1476 spoolsv.exe 1644 spoolsv.exe 3816 spoolsv.exe 2844 explorer.exe 4104 spoolsv.exe 1324 spoolsv.exe 1488 spoolsv.exe 2964 spoolsv.exe 3228 spoolsv.exe 2596 explorer.exe 3256 spoolsv.exe 4456 spoolsv.exe 1332 spoolsv.exe 3812 spoolsv.exe 4948 spoolsv.exe 1016 spoolsv.exe 4628 explorer.exe 384 spoolsv.exe 1944 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 57 IoCs
Processes:
a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 4684 set thread context of 2116 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe PID 4668 set thread context of 1792 4668 explorer.exe explorer.exe PID 1376 set thread context of 3168 1376 spoolsv.exe spoolsv.exe PID 3632 set thread context of 2132 3632 spoolsv.exe spoolsv.exe PID 4876 set thread context of 396 4876 spoolsv.exe spoolsv.exe PID 2028 set thread context of 952 2028 spoolsv.exe spoolsv.exe PID 2856 set thread context of 1888 2856 spoolsv.exe spoolsv.exe PID 4260 set thread context of 404 4260 spoolsv.exe spoolsv.exe PID 2752 set thread context of 2820 2752 spoolsv.exe spoolsv.exe PID 64 set thread context of 3196 64 spoolsv.exe spoolsv.exe PID 2992 set thread context of 656 2992 spoolsv.exe spoolsv.exe PID 4280 set thread context of 1644 4280 spoolsv.exe spoolsv.exe PID 2180 set thread context of 3816 2180 spoolsv.exe spoolsv.exe PID 3772 set thread context of 4104 3772 spoolsv.exe spoolsv.exe PID 1696 set thread context of 1324 1696 spoolsv.exe spoolsv.exe PID 4520 set thread context of 1488 4520 spoolsv.exe spoolsv.exe PID 984 set thread context of 3228 984 spoolsv.exe spoolsv.exe PID 888 set thread context of 3256 888 spoolsv.exe spoolsv.exe PID 4872 set thread context of 4456 4872 spoolsv.exe spoolsv.exe PID 1576 set thread context of 1332 1576 spoolsv.exe spoolsv.exe PID 456 set thread context of 4948 456 spoolsv.exe spoolsv.exe PID 3980 set thread context of 1016 3980 spoolsv.exe spoolsv.exe PID 3208 set thread context of 384 3208 spoolsv.exe spoolsv.exe PID 5116 set thread context of 1944 5116 spoolsv.exe spoolsv.exe PID 5092 set thread context of 5068 5092 spoolsv.exe spoolsv.exe PID 4984 set thread context of 4408 4984 spoolsv.exe spoolsv.exe PID 2332 set thread context of 1008 2332 spoolsv.exe spoolsv.exe PID 3896 set thread context of 672 3896 spoolsv.exe spoolsv.exe PID 2296 set thread context of 1388 2296 spoolsv.exe spoolsv.exe PID 1284 set thread context of 1300 1284 spoolsv.exe spoolsv.exe PID 3244 set thread context of 1328 3244 spoolsv.exe spoolsv.exe PID 432 set thread context of 3104 432 spoolsv.exe spoolsv.exe PID 3788 set thread context of 3076 3788 explorer.exe explorer.exe PID 4900 set thread context of 3488 4900 spoolsv.exe spoolsv.exe PID 3220 set thread context of 1868 3220 spoolsv.exe spoolsv.exe PID 1804 set thread context of 4532 1804 explorer.exe explorer.exe PID 1476 set thread context of 4212 1476 spoolsv.exe spoolsv.exe PID 2844 set thread context of 2680 2844 explorer.exe explorer.exe PID 2964 set thread context of 4436 2964 spoolsv.exe spoolsv.exe PID 2596 set thread context of 5020 2596 explorer.exe explorer.exe PID 3812 set thread context of 4056 3812 spoolsv.exe spoolsv.exe PID 4628 set thread context of 1600 4628 explorer.exe explorer.exe PID 4332 set thread context of 4276 4332 spoolsv.exe spoolsv.exe PID 2140 set thread context of 4392 2140 explorer.exe explorer.exe PID 440 set thread context of 3112 440 spoolsv.exe spoolsv.exe PID 4940 set thread context of 2008 4940 explorer.exe explorer.exe PID 4592 set thread context of 4892 4592 spoolsv.exe spoolsv.exe PID 4788 set thread context of 3420 4788 explorer.exe explorer.exe PID 4968 set thread context of 1544 4968 spoolsv.exe spoolsv.exe PID 3624 set thread context of 4676 3624 spoolsv.exe spoolsv.exe PID 4528 set thread context of 4932 4528 spoolsv.exe spoolsv.exe PID 4252 set thread context of 3412 4252 explorer.exe explorer.exe PID 2304 set thread context of 2232 2304 spoolsv.exe spoolsv.exe PID 704 set thread context of 2928 704 spoolsv.exe spoolsv.exe PID 4944 set thread context of 4704 4944 explorer.exe explorer.exe PID 2672 set thread context of 2832 2672 spoolsv.exe spoolsv.exe PID 2812 set thread context of 2352 2812 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exeexplorer.exepid process 2116 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe 2116 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1792 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2116 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe 2116 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 3168 spoolsv.exe 3168 spoolsv.exe 2132 spoolsv.exe 2132 spoolsv.exe 396 spoolsv.exe 396 spoolsv.exe 952 spoolsv.exe 952 spoolsv.exe 1888 spoolsv.exe 1888 spoolsv.exe 404 spoolsv.exe 404 spoolsv.exe 2820 spoolsv.exe 2820 spoolsv.exe 3196 spoolsv.exe 3196 spoolsv.exe 656 spoolsv.exe 656 spoolsv.exe 1644 spoolsv.exe 1644 spoolsv.exe 3816 spoolsv.exe 3816 spoolsv.exe 4104 spoolsv.exe 4104 spoolsv.exe 1324 spoolsv.exe 1324 spoolsv.exe 1488 spoolsv.exe 1488 spoolsv.exe 3228 spoolsv.exe 3228 spoolsv.exe 3256 spoolsv.exe 3256 spoolsv.exe 4456 spoolsv.exe 4456 spoolsv.exe 1332 spoolsv.exe 1332 spoolsv.exe 4948 spoolsv.exe 4948 spoolsv.exe 1016 spoolsv.exe 1016 spoolsv.exe 384 spoolsv.exe 384 spoolsv.exe 1944 spoolsv.exe 1944 spoolsv.exe 5068 spoolsv.exe 5068 spoolsv.exe 4408 spoolsv.exe 4408 spoolsv.exe 1008 spoolsv.exe 1008 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 1388 spoolsv.exe 1388 spoolsv.exe 1300 spoolsv.exe 1300 spoolsv.exe 1328 spoolsv.exe 1328 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exea0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4684 wrote to memory of 3280 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe splwow64.exe PID 4684 wrote to memory of 3280 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe splwow64.exe PID 4684 wrote to memory of 2116 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe PID 4684 wrote to memory of 2116 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe PID 4684 wrote to memory of 2116 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe PID 4684 wrote to memory of 2116 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe PID 4684 wrote to memory of 2116 4684 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe PID 2116 wrote to memory of 4668 2116 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe explorer.exe PID 2116 wrote to memory of 4668 2116 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe explorer.exe PID 2116 wrote to memory of 4668 2116 a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe explorer.exe PID 4668 wrote to memory of 1792 4668 explorer.exe explorer.exe PID 4668 wrote to memory of 1792 4668 explorer.exe explorer.exe PID 4668 wrote to memory of 1792 4668 explorer.exe explorer.exe PID 4668 wrote to memory of 1792 4668 explorer.exe explorer.exe PID 4668 wrote to memory of 1792 4668 explorer.exe explorer.exe PID 1792 wrote to memory of 1376 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 1376 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 1376 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 3632 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 3632 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 3632 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4876 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4876 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4876 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2028 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2028 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2028 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2856 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2856 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2856 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4260 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4260 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4260 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2752 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2752 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2752 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 64 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 64 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 64 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2992 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2992 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2992 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4280 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4280 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4280 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2180 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2180 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 2180 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 3772 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 3772 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 3772 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 1696 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 1696 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 1696 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4520 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4520 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4520 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 984 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 984 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 984 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 888 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 888 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 888 1792 explorer.exe spoolsv.exe PID 1792 wrote to memory of 4872 1792 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0ce184b5de26ba2cf743514cd8cd70a_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1376 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3168 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3788 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:396 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2856 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4260 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:404 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1804 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2820 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:64 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3196 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:656 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4280 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1644 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3816 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2844 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4520 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3228 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2596 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3256 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4872 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1016 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4628 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:384 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5116 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4408 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2140 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1008 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:672 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1300 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1328 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4940 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3104
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4788 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3420
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4900 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3488
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4252 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1868
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4944 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4704
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4212
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3976 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2964 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4436
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4396 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4056
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4276
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4892
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4676
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2232
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:216 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2928
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:772
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2476 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2572 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4864 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2496
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2112 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4320 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2252 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1584
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD57d4073067bc011e58d1141b32eff4384
SHA1be07eb02201846c92a95a15003e8393faa67b062
SHA256ce4114b81d89fa5442fc3b32716f3f0c5d7bda8f198c6c37c2bb9a18bded7ea1
SHA512cfade70cbebade835533f5c4fb3652caa70a6e0ead2b80277887bca2389950d5446d0d431d2e9a8965bd22aac91db1eae267ec29d2e6d0c0addbf3a0ace7044c
-
Filesize
2.2MB
MD5192707a5cbd2afc318ce373a9857379c
SHA169b58d895b41ff6216a7931231d3d571cd583cd5
SHA25646c51fbda8ca56ef162fad48b53899e756e954a7ac188e3f116208f1cef82a2b
SHA5129665b2bb18c33a4e6421b09c97f1b5c34f7cf88d85b838928b7eb62d9bc456773336c54176978eaf8df47169d65c455ef81ee005c5ce8b7b5f8b384bc2f9671f