Analysis
-
max time kernel
143s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 14:43
Behavioral task
behavioral1
Sample
a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a1075d1420f112b8cfc2e556a8ec0722
-
SHA1
e3e3ec5da2c5ac686dfb28788de97982b2dae0e7
-
SHA256
e42ed6031f4743376c1b58d54e5132564b07767dcd1f0b1b697d696fe4215df4
-
SHA512
1714709ca90523a391ac02611a7c032d59fb3a76433ec0c4d3cc4dad32afac394575a470085afbb236762e77a0b5a3102c06d49784c2e9a803e242e97ee2cfa9
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZO:0UzeyQMS4DqodCnoe+iitjWwwy
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exepid process 4652 explorer.exe 4336 explorer.exe 1168 spoolsv.exe 4196 spoolsv.exe 3000 spoolsv.exe 4636 spoolsv.exe 4368 spoolsv.exe 4908 spoolsv.exe 1728 spoolsv.exe 3648 spoolsv.exe 1136 spoolsv.exe 4660 spoolsv.exe 1832 spoolsv.exe 4868 spoolsv.exe 1624 spoolsv.exe 3128 spoolsv.exe 2456 spoolsv.exe 3260 spoolsv.exe 3984 spoolsv.exe 1980 spoolsv.exe 1616 spoolsv.exe 1596 spoolsv.exe 5072 spoolsv.exe 2060 spoolsv.exe 4132 spoolsv.exe 5084 spoolsv.exe 3108 spoolsv.exe 3568 spoolsv.exe 3956 spoolsv.exe 5104 spoolsv.exe 4848 spoolsv.exe 856 spoolsv.exe 1988 explorer.exe 1400 spoolsv.exe 2832 spoolsv.exe 3448 spoolsv.exe 860 spoolsv.exe 4540 spoolsv.exe 916 spoolsv.exe 4340 spoolsv.exe 4600 spoolsv.exe 3596 explorer.exe 4168 spoolsv.exe 3388 spoolsv.exe 2084 spoolsv.exe 1044 spoolsv.exe 4692 spoolsv.exe 2824 spoolsv.exe 408 spoolsv.exe 5004 explorer.exe 4028 spoolsv.exe 4160 spoolsv.exe 4424 spoolsv.exe 3952 spoolsv.exe 1392 spoolsv.exe 3812 explorer.exe 2992 spoolsv.exe 4064 spoolsv.exe 1036 spoolsv.exe 1028 spoolsv.exe 5008 explorer.exe 1536 spoolsv.exe 4900 spoolsv.exe 660 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 49 IoCs
Processes:
a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 1540 set thread context of 3104 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe PID 4652 set thread context of 4336 4652 explorer.exe explorer.exe PID 1168 set thread context of 856 1168 spoolsv.exe spoolsv.exe PID 4196 set thread context of 2832 4196 spoolsv.exe spoolsv.exe PID 3000 set thread context of 3448 3000 spoolsv.exe spoolsv.exe PID 4636 set thread context of 860 4636 spoolsv.exe spoolsv.exe PID 4368 set thread context of 4540 4368 spoolsv.exe spoolsv.exe PID 4908 set thread context of 916 4908 spoolsv.exe spoolsv.exe PID 1728 set thread context of 4600 1728 spoolsv.exe spoolsv.exe PID 3648 set thread context of 4168 3648 spoolsv.exe spoolsv.exe PID 1136 set thread context of 3388 1136 spoolsv.exe spoolsv.exe PID 4660 set thread context of 2084 4660 spoolsv.exe spoolsv.exe PID 1832 set thread context of 1044 1832 spoolsv.exe spoolsv.exe PID 4868 set thread context of 2824 4868 spoolsv.exe spoolsv.exe PID 1624 set thread context of 408 1624 spoolsv.exe spoolsv.exe PID 3128 set thread context of 4028 3128 spoolsv.exe spoolsv.exe PID 2456 set thread context of 4160 2456 spoolsv.exe spoolsv.exe PID 3260 set thread context of 3952 3260 spoolsv.exe spoolsv.exe PID 3984 set thread context of 1392 3984 spoolsv.exe spoolsv.exe PID 1980 set thread context of 2992 1980 spoolsv.exe spoolsv.exe PID 1616 set thread context of 1036 1616 spoolsv.exe spoolsv.exe PID 1596 set thread context of 1028 1596 spoolsv.exe spoolsv.exe PID 5072 set thread context of 1536 5072 spoolsv.exe spoolsv.exe PID 2060 set thread context of 4900 2060 spoolsv.exe spoolsv.exe PID 4132 set thread context of 2416 4132 spoolsv.exe spoolsv.exe PID 5084 set thread context of 2612 5084 spoolsv.exe spoolsv.exe PID 3108 set thread context of 4872 3108 spoolsv.exe spoolsv.exe PID 3568 set thread context of 3356 3568 spoolsv.exe spoolsv.exe PID 3956 set thread context of 4572 3956 spoolsv.exe spoolsv.exe PID 5104 set thread context of 2464 5104 spoolsv.exe spoolsv.exe PID 4848 set thread context of 1020 4848 spoolsv.exe spoolsv.exe PID 1988 set thread context of 3512 1988 explorer.exe explorer.exe PID 1400 set thread context of 4536 1400 spoolsv.exe spoolsv.exe PID 4340 set thread context of 1484 4340 spoolsv.exe spoolsv.exe PID 3596 set thread context of 4604 3596 explorer.exe explorer.exe PID 4692 set thread context of 2560 4692 spoolsv.exe spoolsv.exe PID 5004 set thread context of 4940 5004 explorer.exe explorer.exe PID 4424 set thread context of 4300 4424 spoolsv.exe spoolsv.exe PID 3812 set thread context of 752 3812 explorer.exe explorer.exe PID 4064 set thread context of 3844 4064 spoolsv.exe spoolsv.exe PID 5008 set thread context of 2716 5008 explorer.exe explorer.exe PID 660 set thread context of 4080 660 spoolsv.exe spoolsv.exe PID 1620 set thread context of 2504 1620 explorer.exe explorer.exe PID 1072 set thread context of 4556 1072 spoolsv.exe spoolsv.exe PID 3604 set thread context of 2112 3604 explorer.exe explorer.exe PID 1016 set thread context of 2884 1016 spoolsv.exe spoolsv.exe PID 4304 set thread context of 384 4304 spoolsv.exe spoolsv.exe PID 4460 set thread context of 2648 4460 spoolsv.exe spoolsv.exe PID 3264 set thread context of 3736 3264 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exea1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exeexplorer.exepid process 3104 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe 3104 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4336 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3104 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe 3104 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 4336 explorer.exe 856 spoolsv.exe 856 spoolsv.exe 2832 spoolsv.exe 2832 spoolsv.exe 3448 spoolsv.exe 3448 spoolsv.exe 860 spoolsv.exe 860 spoolsv.exe 4540 spoolsv.exe 4540 spoolsv.exe 916 spoolsv.exe 916 spoolsv.exe 4600 spoolsv.exe 4600 spoolsv.exe 4168 spoolsv.exe 4168 spoolsv.exe 3388 spoolsv.exe 3388 spoolsv.exe 2084 spoolsv.exe 2084 spoolsv.exe 1044 spoolsv.exe 1044 spoolsv.exe 2824 spoolsv.exe 2824 spoolsv.exe 408 spoolsv.exe 408 spoolsv.exe 4028 spoolsv.exe 4028 spoolsv.exe 4160 spoolsv.exe 4160 spoolsv.exe 3952 spoolsv.exe 3952 spoolsv.exe 1392 spoolsv.exe 1392 spoolsv.exe 2992 spoolsv.exe 2992 spoolsv.exe 1036 spoolsv.exe 1036 spoolsv.exe 1028 spoolsv.exe 1028 spoolsv.exe 1536 spoolsv.exe 1536 spoolsv.exe 4900 spoolsv.exe 4900 spoolsv.exe 2416 spoolsv.exe 2416 spoolsv.exe 2612 spoolsv.exe 2612 spoolsv.exe 4872 spoolsv.exe 4872 spoolsv.exe 3356 spoolsv.exe 3356 spoolsv.exe 4572 spoolsv.exe 4572 spoolsv.exe 2464 spoolsv.exe 2464 spoolsv.exe 1020 spoolsv.exe 1020 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exea1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1540 wrote to memory of 1652 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe splwow64.exe PID 1540 wrote to memory of 1652 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe splwow64.exe PID 1540 wrote to memory of 3104 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe PID 1540 wrote to memory of 3104 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe PID 1540 wrote to memory of 3104 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe PID 1540 wrote to memory of 3104 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe PID 1540 wrote to memory of 3104 1540 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe PID 3104 wrote to memory of 4652 3104 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe explorer.exe PID 3104 wrote to memory of 4652 3104 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe explorer.exe PID 3104 wrote to memory of 4652 3104 a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe explorer.exe PID 4652 wrote to memory of 4336 4652 explorer.exe explorer.exe PID 4652 wrote to memory of 4336 4652 explorer.exe explorer.exe PID 4652 wrote to memory of 4336 4652 explorer.exe explorer.exe PID 4652 wrote to memory of 4336 4652 explorer.exe explorer.exe PID 4652 wrote to memory of 4336 4652 explorer.exe explorer.exe PID 4336 wrote to memory of 1168 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1168 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1168 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4196 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4196 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4196 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3000 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3000 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3000 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4636 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4636 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4636 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4368 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4368 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4368 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4908 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4908 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4908 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1728 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1728 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1728 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3648 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3648 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3648 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1136 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1136 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1136 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4660 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4660 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4660 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1832 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1832 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1832 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4868 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4868 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 4868 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1624 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1624 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 1624 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3128 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3128 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3128 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 2456 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 2456 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 2456 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3260 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3260 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3260 4336 explorer.exe spoolsv.exe PID 4336 wrote to memory of 3984 4336 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1075d1420f112b8cfc2e556a8ec0722_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:856 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1988 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3512
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4196 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3448 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4636 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:860 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4600 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3596 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4660 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1832 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4868 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:408 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5004 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3128 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4160 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3260 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1392 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3812 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5008 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2716
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5072 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4132 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2416 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1620 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4872 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3356 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4572 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3604 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5104 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2464 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1020 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3608
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4536
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4528 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1280
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4340 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1484
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:876 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4692 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2560
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4796 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4300
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2396 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3844
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:660 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4080
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5016
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1072 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4556
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3736
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1668 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3828
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4320
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4844
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3572
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1200
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2700 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2236 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD57e619235c3df851e8fa27be33aa350ab
SHA1e58ac5131cdc9757672d926b181a6b829ba10225
SHA256ea00686b34bacefad4d33e605c794cab9b223635dd3dda26214055184fdf87b1
SHA512b1fd0b00040227e9122f34d39545259d3247b3fbe21903a03c04c6b946499e972ccfb559aa4d5b28b2f9ffab9dd7728fd52ab9f1c3fa593534cf5a61f0e3cab5
-
Filesize
2.2MB
MD562f6d887d8ef69ca62520cffa6ab0855
SHA1ae74da0b1bc9a3fcdc106583d3a2616b1af08675
SHA256c2199b293f1132423b204f1e876ba5ad936e875ac00af4fd24f8320e4c622221
SHA512117076dca8e0e13064934e7c12e13a0e36b2bb4a2bcf7f6f18bf742d355bb867e168ad86ed3044aa31e5d41f9f79972194a1a55e5d91e25c6c6c4931fc65cb0f