Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 14:02
Behavioral task
behavioral1
Sample
a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0ec04ec806a14c4a7593668773b2c31
-
SHA1
2d2637090eb6721d5d5815a14f136d5737ceedaa
-
SHA256
0f95efc563f17bda94c6d9ac8bd2b619e443aadf9ec2dc5b1b0cd2baae0c305a
-
SHA512
486942a64cbcf29e2f2a2bc767897a885d19d7289df336bc348a529c8280fc27b30992ce0d799b817eadadffddfc926d145ccc2c17e825acd3c3bdde58ae3211
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZM:0UzeyQMS4DqodCnoe+iitjWwwY
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 3672 explorer.exe 2316 explorer.exe 4644 spoolsv.exe 1604 spoolsv.exe 3480 spoolsv.exe 2616 spoolsv.exe 908 spoolsv.exe 3448 spoolsv.exe 4432 spoolsv.exe 1708 spoolsv.exe 3288 spoolsv.exe 4972 spoolsv.exe 3900 spoolsv.exe 1748 spoolsv.exe 1548 spoolsv.exe 3344 spoolsv.exe 3280 spoolsv.exe 3604 spoolsv.exe 2320 spoolsv.exe 5108 spoolsv.exe 628 spoolsv.exe 3704 spoolsv.exe 2560 spoolsv.exe 5040 spoolsv.exe 1192 spoolsv.exe 3232 spoolsv.exe 2548 spoolsv.exe 4036 spoolsv.exe 3944 spoolsv.exe 1956 spoolsv.exe 4076 spoolsv.exe 5284 spoolsv.exe 5380 spoolsv.exe 5436 explorer.exe 5492 spoolsv.exe 5580 spoolsv.exe 5896 spoolsv.exe 5972 spoolsv.exe 6040 spoolsv.exe 5152 spoolsv.exe 5352 explorer.exe 5412 spoolsv.exe 5676 spoolsv.exe 5760 spoolsv.exe 3412 spoolsv.exe 3180 explorer.exe 5208 spoolsv.exe 5516 spoolsv.exe 5588 spoolsv.exe 5680 spoolsv.exe 2240 spoolsv.exe 6076 explorer.exe 5264 spoolsv.exe 2392 spoolsv.exe 5292 spoolsv.exe 4312 spoolsv.exe 5624 spoolsv.exe 5632 explorer.exe 3036 spoolsv.exe 6028 spoolsv.exe 6048 spoolsv.exe 4224 spoolsv.exe 5296 explorer.exe 5084 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 48 IoCs
Processes:
a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 4256 set thread context of 4400 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe PID 3672 set thread context of 2316 3672 explorer.exe explorer.exe PID 4644 set thread context of 5380 4644 spoolsv.exe spoolsv.exe PID 1604 set thread context of 5492 1604 spoolsv.exe spoolsv.exe PID 3480 set thread context of 5580 3480 spoolsv.exe spoolsv.exe PID 2616 set thread context of 5972 2616 spoolsv.exe spoolsv.exe PID 908 set thread context of 6040 908 spoolsv.exe spoolsv.exe PID 3448 set thread context of 5152 3448 spoolsv.exe spoolsv.exe PID 4432 set thread context of 5412 4432 spoolsv.exe spoolsv.exe PID 1708 set thread context of 5760 1708 spoolsv.exe spoolsv.exe PID 3288 set thread context of 3412 3288 spoolsv.exe spoolsv.exe PID 4972 set thread context of 5208 4972 spoolsv.exe spoolsv.exe PID 3900 set thread context of 5588 3900 spoolsv.exe spoolsv.exe PID 1748 set thread context of 5680 1748 spoolsv.exe spoolsv.exe PID 1548 set thread context of 2240 1548 spoolsv.exe spoolsv.exe PID 3344 set thread context of 5264 3344 spoolsv.exe spoolsv.exe PID 3280 set thread context of 5292 3280 spoolsv.exe spoolsv.exe PID 3604 set thread context of 4312 3604 spoolsv.exe spoolsv.exe PID 2320 set thread context of 5624 2320 spoolsv.exe spoolsv.exe PID 5108 set thread context of 3036 5108 spoolsv.exe spoolsv.exe PID 628 set thread context of 6048 628 spoolsv.exe spoolsv.exe PID 3704 set thread context of 4224 3704 spoolsv.exe spoolsv.exe PID 2560 set thread context of 5084 2560 spoolsv.exe spoolsv.exe PID 5040 set thread context of 3100 5040 spoolsv.exe spoolsv.exe PID 1192 set thread context of 5848 1192 spoolsv.exe spoolsv.exe PID 3232 set thread context of 5864 3232 spoolsv.exe spoolsv.exe PID 2548 set thread context of 5232 2548 spoolsv.exe spoolsv.exe PID 4036 set thread context of 860 4036 spoolsv.exe spoolsv.exe PID 3944 set thread context of 5276 3944 spoolsv.exe spoolsv.exe PID 1956 set thread context of 5996 1956 spoolsv.exe spoolsv.exe PID 4076 set thread context of 4112 4076 spoolsv.exe spoolsv.exe PID 5284 set thread context of 884 5284 spoolsv.exe spoolsv.exe PID 5436 set thread context of 5308 5436 explorer.exe explorer.exe PID 5896 set thread context of 1328 5896 spoolsv.exe spoolsv.exe PID 5352 set thread context of 5992 5352 explorer.exe explorer.exe PID 5676 set thread context of 4532 5676 spoolsv.exe spoolsv.exe PID 3180 set thread context of 4948 3180 explorer.exe explorer.exe PID 5516 set thread context of 4292 5516 spoolsv.exe spoolsv.exe PID 6076 set thread context of 824 6076 explorer.exe explorer.exe PID 2392 set thread context of 4240 2392 spoolsv.exe spoolsv.exe PID 5632 set thread context of 224 5632 explorer.exe explorer.exe PID 6028 set thread context of 4584 6028 spoolsv.exe spoolsv.exe PID 5296 set thread context of 716 5296 explorer.exe explorer.exe PID 5416 set thread context of 5852 5416 spoolsv.exe spoolsv.exe PID 5652 set thread context of 3976 5652 explorer.exe explorer.exe PID 3740 set thread context of 5224 3740 spoolsv.exe spoolsv.exe PID 1496 set thread context of 5148 1496 explorer.exe explorer.exe PID 4712 set thread context of 6004 4712 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exea0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exea0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exeexplorer.exepid process 4400 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe 4400 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2316 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4400 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe 4400 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 5380 spoolsv.exe 5380 spoolsv.exe 5492 spoolsv.exe 5492 spoolsv.exe 5580 spoolsv.exe 5580 spoolsv.exe 5972 spoolsv.exe 5972 spoolsv.exe 6040 spoolsv.exe 6040 spoolsv.exe 5152 spoolsv.exe 5152 spoolsv.exe 5412 spoolsv.exe 5412 spoolsv.exe 5760 spoolsv.exe 5760 spoolsv.exe 3412 spoolsv.exe 3412 spoolsv.exe 5208 spoolsv.exe 5208 spoolsv.exe 5588 spoolsv.exe 5588 spoolsv.exe 5680 spoolsv.exe 5680 spoolsv.exe 2240 spoolsv.exe 2240 spoolsv.exe 5264 spoolsv.exe 5264 spoolsv.exe 5292 spoolsv.exe 5292 spoolsv.exe 4312 spoolsv.exe 4312 spoolsv.exe 5624 spoolsv.exe 5624 spoolsv.exe 3036 spoolsv.exe 3036 spoolsv.exe 6048 spoolsv.exe 6048 spoolsv.exe 4224 spoolsv.exe 4224 spoolsv.exe 5084 spoolsv.exe 5084 spoolsv.exe 3100 spoolsv.exe 3100 spoolsv.exe 5848 spoolsv.exe 5848 spoolsv.exe 5864 spoolsv.exe 5864 spoolsv.exe 5232 spoolsv.exe 5232 spoolsv.exe 860 spoolsv.exe 860 spoolsv.exe 5276 spoolsv.exe 5276 spoolsv.exe 5996 spoolsv.exe 5996 spoolsv.exe 4112 spoolsv.exe 4112 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exea0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4256 wrote to memory of 5028 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe splwow64.exe PID 4256 wrote to memory of 5028 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe splwow64.exe PID 4256 wrote to memory of 4400 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe PID 4256 wrote to memory of 4400 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe PID 4256 wrote to memory of 4400 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe PID 4256 wrote to memory of 4400 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe PID 4256 wrote to memory of 4400 4256 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe PID 4400 wrote to memory of 3672 4400 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe explorer.exe PID 4400 wrote to memory of 3672 4400 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe explorer.exe PID 4400 wrote to memory of 3672 4400 a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe explorer.exe PID 3672 wrote to memory of 2316 3672 explorer.exe explorer.exe PID 3672 wrote to memory of 2316 3672 explorer.exe explorer.exe PID 3672 wrote to memory of 2316 3672 explorer.exe explorer.exe PID 3672 wrote to memory of 2316 3672 explorer.exe explorer.exe PID 3672 wrote to memory of 2316 3672 explorer.exe explorer.exe PID 2316 wrote to memory of 4644 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4644 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4644 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1604 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1604 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1604 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3480 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3480 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3480 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 2616 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 2616 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 2616 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 908 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 908 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 908 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3448 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3448 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3448 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4432 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4432 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4432 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1708 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1708 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1708 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3288 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3288 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3288 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4972 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4972 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 4972 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3900 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3900 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3900 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1748 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1748 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1748 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1548 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1548 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 1548 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3344 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3344 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3344 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3280 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3280 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3280 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3604 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3604 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 3604 2316 explorer.exe spoolsv.exe PID 2316 wrote to memory of 2320 2316 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0ec04ec806a14c4a7593668773b2c31_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5380 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5436 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5308
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1604 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5972 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3448 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5152 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5352 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3288 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3412 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3180 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4948
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5208 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3900 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1748 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6076 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:824
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5264 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3280 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5292 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3604 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2320 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5624 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5632 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6048 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4224 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5296 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:716
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3100 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5864 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5232 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5652 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:860 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5276 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5996 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:1496 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4112 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:884
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1960 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1328
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5764 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4532
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5796 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4292
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2512 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4240
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4584
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2424 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5416 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5852
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5888 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4712 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6004
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4708
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1704
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4604
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:456
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4948
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2032
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5220
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3496
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3552 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:212 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:81⤵PID:1552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5be0c06a240e426862ff80f266e90b6cf
SHA14392ec19d539a6519f80e1df26f66da60f0a7095
SHA256bf7f9a0dbe925d52985b720d94d6c93130cdb9b17668a982b8140117fc202761
SHA512d2c4d683c23a56a6ab679b23c2d087e0ccda1e29ff0cb4b536eac8c35850571ee653754c1738a6d4cf95b082070d1f74540d9daf4c03cd3608fde41177b006a6
-
Filesize
2.2MB
MD5e08c66751cb2cd50b5f4ea409e440296
SHA18b343578e84f8db77dfa69b86c9127922276528f
SHA256424468ceaa756b28bef1d1039afa9b3fbdb8b5e50378a7199c9ee53ec35456a0
SHA512cbe94f5ae0cc761dd82fd9d169d511ca973a740379ba1252af0116073eecd32bd4f1c10f8be5e4391d9c4a4c25f8075ac209f7e59fde6b26bde43c981635252f