Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:39
Behavioral task
behavioral1
Sample
a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0db29d8b89fbf87d87b22b7032dd3cb
-
SHA1
9b6502583f4f7c873cd0e67cf4c920c914b88f19
-
SHA256
edcd8bd81be139fdaf2b7fb2318cf91f72e169f0577de633c0ed82020cdb40dc
-
SHA512
32376aba3fa5922f219833be0aa8d99f3dac5fc91bfda7523f93604fc858f8b361e1a6867408e46f2c27452028a9a2a43bd286af8b6ae60a64edd107cf439af1
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZY:0UzeyQMS4DqodCnoe+iitjWwws
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1616 explorer.exe 3428 explorer.exe 3752 spoolsv.exe 728 spoolsv.exe 4872 spoolsv.exe 3884 spoolsv.exe 2044 spoolsv.exe 3460 spoolsv.exe 2960 spoolsv.exe 5068 spoolsv.exe 1920 spoolsv.exe 924 spoolsv.exe 3064 spoolsv.exe 4892 spoolsv.exe 4332 spoolsv.exe 2812 spoolsv.exe 1668 spoolsv.exe 3720 spoolsv.exe 3988 spoolsv.exe 3728 spoolsv.exe 4740 spoolsv.exe 3308 spoolsv.exe 4632 spoolsv.exe 3020 spoolsv.exe 1584 spoolsv.exe 3636 spoolsv.exe 1784 spoolsv.exe 2052 spoolsv.exe 4004 spoolsv.exe 1492 spoolsv.exe 2864 spoolsv.exe 1508 spoolsv.exe 2532 spoolsv.exe 684 spoolsv.exe 4272 spoolsv.exe 4716 spoolsv.exe 540 spoolsv.exe 2236 spoolsv.exe 5060 spoolsv.exe 2396 explorer.exe 1104 spoolsv.exe 3104 spoolsv.exe 2296 spoolsv.exe 688 spoolsv.exe 764 spoolsv.exe 3240 spoolsv.exe 4776 spoolsv.exe 2336 spoolsv.exe 4760 explorer.exe 1436 spoolsv.exe 4852 spoolsv.exe 3228 spoolsv.exe 872 spoolsv.exe 2688 spoolsv.exe 4076 spoolsv.exe 3592 spoolsv.exe 1296 spoolsv.exe 4512 spoolsv.exe 2452 spoolsv.exe 1624 explorer.exe 2028 spoolsv.exe 5092 spoolsv.exe 1500 spoolsv.exe 744 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 57 IoCs
Processes:
a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 3960 set thread context of 4276 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe PID 1616 set thread context of 3428 1616 explorer.exe explorer.exe PID 3752 set thread context of 5060 3752 spoolsv.exe spoolsv.exe PID 728 set thread context of 1104 728 spoolsv.exe spoolsv.exe PID 4872 set thread context of 3104 4872 spoolsv.exe spoolsv.exe PID 3884 set thread context of 2296 3884 spoolsv.exe spoolsv.exe PID 2044 set thread context of 688 2044 spoolsv.exe spoolsv.exe PID 3460 set thread context of 764 3460 spoolsv.exe spoolsv.exe PID 2960 set thread context of 4776 2960 spoolsv.exe spoolsv.exe PID 5068 set thread context of 2336 5068 spoolsv.exe spoolsv.exe PID 1920 set thread context of 1436 1920 spoolsv.exe spoolsv.exe PID 924 set thread context of 4852 924 spoolsv.exe spoolsv.exe PID 3064 set thread context of 3228 3064 spoolsv.exe spoolsv.exe PID 4892 set thread context of 872 4892 spoolsv.exe spoolsv.exe PID 4332 set thread context of 2688 4332 spoolsv.exe spoolsv.exe PID 2812 set thread context of 4076 2812 spoolsv.exe spoolsv.exe PID 1668 set thread context of 3592 1668 spoolsv.exe spoolsv.exe PID 3720 set thread context of 4512 3720 spoolsv.exe spoolsv.exe PID 3988 set thread context of 2452 3988 spoolsv.exe spoolsv.exe PID 3728 set thread context of 2028 3728 spoolsv.exe spoolsv.exe PID 4740 set thread context of 5092 4740 spoolsv.exe spoolsv.exe PID 3308 set thread context of 1500 3308 spoolsv.exe spoolsv.exe PID 4632 set thread context of 744 4632 spoolsv.exe spoolsv.exe PID 3020 set thread context of 4080 3020 spoolsv.exe spoolsv.exe PID 1584 set thread context of 4400 1584 spoolsv.exe spoolsv.exe PID 3636 set thread context of 2932 3636 spoolsv.exe spoolsv.exe PID 1784 set thread context of 4360 1784 spoolsv.exe spoolsv.exe PID 2052 set thread context of 1912 2052 spoolsv.exe spoolsv.exe PID 4004 set thread context of 4224 4004 spoolsv.exe spoolsv.exe PID 1492 set thread context of 4848 1492 spoolsv.exe spoolsv.exe PID 2864 set thread context of 436 2864 spoolsv.exe spoolsv.exe PID 1508 set thread context of 1600 1508 spoolsv.exe spoolsv.exe PID 2532 set thread context of 5036 2532 spoolsv.exe spoolsv.exe PID 684 set thread context of 2576 684 spoolsv.exe spoolsv.exe PID 4272 set thread context of 4896 4272 spoolsv.exe spoolsv.exe PID 4716 set thread context of 1072 4716 spoolsv.exe spoolsv.exe PID 540 set thread context of 3252 540 spoolsv.exe spoolsv.exe PID 2236 set thread context of 3280 2236 spoolsv.exe spoolsv.exe PID 2396 set thread context of 928 2396 explorer.exe explorer.exe PID 3240 set thread context of 1336 3240 spoolsv.exe spoolsv.exe PID 4760 set thread context of 892 4760 explorer.exe explorer.exe PID 1296 set thread context of 4800 1296 spoolsv.exe spoolsv.exe PID 1624 set thread context of 5080 1624 explorer.exe explorer.exe PID 1228 set thread context of 2608 1228 spoolsv.exe spoolsv.exe PID 3540 set thread context of 3852 3540 explorer.exe explorer.exe PID 4816 set thread context of 1688 4816 spoolsv.exe spoolsv.exe PID 1852 set thread context of 404 1852 explorer.exe explorer.exe PID 4228 set thread context of 2624 4228 spoolsv.exe spoolsv.exe PID 4320 set thread context of 2008 4320 explorer.exe explorer.exe PID 1848 set thread context of 1496 1848 spoolsv.exe spoolsv.exe PID 3416 set thread context of 1076 3416 spoolsv.exe spoolsv.exe PID 5000 set thread context of 4468 5000 spoolsv.exe spoolsv.exe PID 3608 set thread context of 2832 3608 explorer.exe explorer.exe PID 2152 set thread context of 4812 2152 spoolsv.exe spoolsv.exe PID 4352 set thread context of 5064 4352 spoolsv.exe spoolsv.exe PID 4928 set thread context of 1856 4928 spoolsv.exe spoolsv.exe PID 2564 set thread context of 4564 2564 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exea0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exea0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exeexplorer.exepid process 4276 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe 4276 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3428 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4276 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe 4276 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 3428 explorer.exe 5060 spoolsv.exe 5060 spoolsv.exe 1104 spoolsv.exe 1104 spoolsv.exe 3104 spoolsv.exe 3104 spoolsv.exe 2296 spoolsv.exe 2296 spoolsv.exe 688 spoolsv.exe 688 spoolsv.exe 764 spoolsv.exe 764 spoolsv.exe 4776 spoolsv.exe 4776 spoolsv.exe 2336 spoolsv.exe 2336 spoolsv.exe 1436 spoolsv.exe 1436 spoolsv.exe 4852 spoolsv.exe 4852 spoolsv.exe 3228 spoolsv.exe 3228 spoolsv.exe 872 spoolsv.exe 872 spoolsv.exe 2688 spoolsv.exe 2688 spoolsv.exe 4076 spoolsv.exe 4076 spoolsv.exe 3592 spoolsv.exe 3592 spoolsv.exe 4512 spoolsv.exe 4512 spoolsv.exe 2452 spoolsv.exe 2452 spoolsv.exe 2028 spoolsv.exe 2028 spoolsv.exe 5092 spoolsv.exe 5092 spoolsv.exe 1500 spoolsv.exe 1500 spoolsv.exe 744 spoolsv.exe 744 spoolsv.exe 4080 spoolsv.exe 4080 spoolsv.exe 4400 spoolsv.exe 4400 spoolsv.exe 2932 spoolsv.exe 2932 spoolsv.exe 4360 spoolsv.exe 4360 spoolsv.exe 1912 spoolsv.exe 1912 spoolsv.exe 4224 spoolsv.exe 4224 spoolsv.exe 4848 spoolsv.exe 4848 spoolsv.exe 436 spoolsv.exe 436 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exea0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 3960 wrote to memory of 1520 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe splwow64.exe PID 3960 wrote to memory of 1520 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe splwow64.exe PID 3960 wrote to memory of 4276 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe PID 3960 wrote to memory of 4276 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe PID 3960 wrote to memory of 4276 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe PID 3960 wrote to memory of 4276 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe PID 3960 wrote to memory of 4276 3960 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe PID 4276 wrote to memory of 1616 4276 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe explorer.exe PID 4276 wrote to memory of 1616 4276 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe explorer.exe PID 4276 wrote to memory of 1616 4276 a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe explorer.exe PID 1616 wrote to memory of 3428 1616 explorer.exe explorer.exe PID 1616 wrote to memory of 3428 1616 explorer.exe explorer.exe PID 1616 wrote to memory of 3428 1616 explorer.exe explorer.exe PID 1616 wrote to memory of 3428 1616 explorer.exe explorer.exe PID 1616 wrote to memory of 3428 1616 explorer.exe explorer.exe PID 3428 wrote to memory of 3752 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3752 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3752 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 728 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 728 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 728 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4872 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4872 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4872 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3884 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3884 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3884 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2044 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2044 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2044 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3460 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3460 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3460 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2960 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2960 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2960 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 5068 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 5068 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 5068 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 1920 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 1920 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 1920 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 924 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 924 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 924 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3064 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3064 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3064 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4892 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4892 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4892 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4332 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4332 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 4332 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2812 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2812 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 2812 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 1668 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 1668 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 1668 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3720 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3720 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3720 3428 explorer.exe spoolsv.exe PID 3428 wrote to memory of 3988 3428 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0db29d8b89fbf87d87b22b7032dd3cb_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5060 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2396 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4872 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2296 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2336 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4760 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1436 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4892 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:872 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1668 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4512 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1624 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5092 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4080 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3540 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4400 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3636 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2932 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4360 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2052 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:436 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1508 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1600
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:1852 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2532 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5036
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4272 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1072
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3252
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4320 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2236 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3280
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3608 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3240 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1336
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3832
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4800
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2608
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1688
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1496
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3416 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1076
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4468
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5064
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4928 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1856
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2564 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4564
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4664
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3672 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5016
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4380 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1428
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4836 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4072
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2480 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5cd4baac59df59353dfa6249fb32a69b9
SHA1178f000596ca11b7a11f000b618b104c83778803
SHA2567bf6e2378d87a49deee8db3de28ac499995f4274dffb2d9200694bbec08675da
SHA512f9b7f03d763f2aff458d6902ff5da15201fc48d990bbea4625c43a56be4f78478255ac9d3856bcfbecf82cbce2c9444f03d6f286e5ede7f2442b3db1dad12248
-
Filesize
2.2MB
MD5b2e888ac8f1e97360f9effb6ee1f935e
SHA1fbf27f9175f330b4207aa9cb08d97f3efd3bf754
SHA2568092d11f240d4e0b40dea4a250a436686517f898a98fbb305e296d8c490038fb
SHA512b2152c9e89f719114b43b232573f8e3f5143c601f0703791cb860e5b71a0a2e239640fef02b3672e9de7a5d20de3ddb61a1a3b8f478dbc7f2f8f8da145401844