Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 14:03
Behavioral task
behavioral1
Sample
a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0edb9a9171e684ba98a2c1e97d0d987
-
SHA1
7b3ed0a903df0d44015d02d9c337c7718499c8db
-
SHA256
a732bffa78e67c87ec91470142a180487d9840caf12ee107ea85496b05cc7856
-
SHA512
f65c3cacee5be1cbe43dbdec6c08e0e115787d6b7189e517350ed7f0070fdfb620b4dda10676084b3afbdce8ca3e2fd92ab03763d92c42caebb5f09d8388d799
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZc:0UzeyQMS4DqodCnoe+iitjWww4
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exepid process 1628 explorer.exe 4360 explorer.exe 3508 spoolsv.exe 4972 spoolsv.exe 336 spoolsv.exe 3344 spoolsv.exe 1212 spoolsv.exe 4164 spoolsv.exe 1652 spoolsv.exe 992 spoolsv.exe 4388 spoolsv.exe 4224 spoolsv.exe 1356 spoolsv.exe 2488 spoolsv.exe 2644 spoolsv.exe 3356 spoolsv.exe 856 spoolsv.exe 3328 spoolsv.exe 3308 spoolsv.exe 1796 spoolsv.exe 4888 spoolsv.exe 1328 spoolsv.exe 4568 spoolsv.exe 4040 spoolsv.exe 2704 spoolsv.exe 1384 spoolsv.exe 4872 spoolsv.exe 4864 spoolsv.exe 752 spoolsv.exe 212 spoolsv.exe 4940 spoolsv.exe 1192 spoolsv.exe 3832 spoolsv.exe 1044 explorer.exe 1460 spoolsv.exe 4636 spoolsv.exe 2252 spoolsv.exe 1540 spoolsv.exe 3288 spoolsv.exe 1448 spoolsv.exe 2768 spoolsv.exe 2684 explorer.exe 948 spoolsv.exe 832 spoolsv.exe 4180 spoolsv.exe 5056 spoolsv.exe 3184 spoolsv.exe 4444 spoolsv.exe 4116 explorer.exe 5036 spoolsv.exe 2916 spoolsv.exe 3504 spoolsv.exe 1864 spoolsv.exe 4144 spoolsv.exe 2620 spoolsv.exe 3480 explorer.exe 5108 spoolsv.exe 1372 spoolsv.exe 4664 spoolsv.exe 636 spoolsv.exe 1904 explorer.exe 4676 spoolsv.exe 3756 spoolsv.exe 3888 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 53 IoCs
Processes:
a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription pid process target process PID 336 set thread context of 4944 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe PID 1628 set thread context of 4360 1628 explorer.exe explorer.exe PID 3508 set thread context of 3832 3508 spoolsv.exe spoolsv.exe PID 4972 set thread context of 1460 4972 spoolsv.exe spoolsv.exe PID 336 set thread context of 4636 336 spoolsv.exe spoolsv.exe PID 3344 set thread context of 2252 3344 spoolsv.exe spoolsv.exe PID 1212 set thread context of 1540 1212 spoolsv.exe spoolsv.exe PID 4164 set thread context of 3288 4164 spoolsv.exe spoolsv.exe PID 1652 set thread context of 2768 1652 spoolsv.exe spoolsv.exe PID 992 set thread context of 948 992 spoolsv.exe spoolsv.exe PID 4388 set thread context of 832 4388 spoolsv.exe spoolsv.exe PID 4224 set thread context of 4180 4224 spoolsv.exe spoolsv.exe PID 1356 set thread context of 5056 1356 spoolsv.exe spoolsv.exe PID 2488 set thread context of 4444 2488 spoolsv.exe spoolsv.exe PID 2644 set thread context of 5036 2644 spoolsv.exe spoolsv.exe PID 3356 set thread context of 2916 3356 spoolsv.exe spoolsv.exe PID 856 set thread context of 3504 856 spoolsv.exe spoolsv.exe PID 3328 set thread context of 1864 3328 spoolsv.exe spoolsv.exe PID 3308 set thread context of 2620 3308 spoolsv.exe spoolsv.exe PID 1796 set thread context of 5108 1796 spoolsv.exe spoolsv.exe PID 4888 set thread context of 1372 4888 spoolsv.exe spoolsv.exe PID 1328 set thread context of 4664 1328 spoolsv.exe spoolsv.exe PID 4568 set thread context of 636 4568 spoolsv.exe spoolsv.exe PID 4040 set thread context of 3756 4040 spoolsv.exe spoolsv.exe PID 2704 set thread context of 3888 2704 spoolsv.exe spoolsv.exe PID 1384 set thread context of 1716 1384 spoolsv.exe spoolsv.exe PID 4872 set thread context of 4044 4872 spoolsv.exe spoolsv.exe PID 4864 set thread context of 3456 4864 spoolsv.exe spoolsv.exe PID 752 set thread context of 4876 752 spoolsv.exe spoolsv.exe PID 212 set thread context of 3688 212 spoolsv.exe spoolsv.exe PID 4940 set thread context of 4092 4940 spoolsv.exe spoolsv.exe PID 1192 set thread context of 2296 1192 spoolsv.exe spoolsv.exe PID 1044 set thread context of 3924 1044 explorer.exe explorer.exe PID 1448 set thread context of 2212 1448 spoolsv.exe spoolsv.exe PID 2684 set thread context of 1908 2684 explorer.exe explorer.exe PID 3184 set thread context of 4128 3184 spoolsv.exe spoolsv.exe PID 4116 set thread context of 2884 4116 explorer.exe explorer.exe PID 3480 set thread context of 4548 3480 explorer.exe explorer.exe PID 4144 set thread context of 2448 4144 spoolsv.exe spoolsv.exe PID 1904 set thread context of 4292 1904 explorer.exe explorer.exe PID 4676 set thread context of 1364 4676 spoolsv.exe spoolsv.exe PID 3556 set thread context of 1992 3556 spoolsv.exe spoolsv.exe PID 1576 set thread context of 3200 1576 explorer.exe explorer.exe PID 2656 set thread context of 3452 2656 spoolsv.exe spoolsv.exe PID 2460 set thread context of 620 2460 explorer.exe explorer.exe PID 2956 set thread context of 4668 2956 spoolsv.exe spoolsv.exe PID 4588 set thread context of 5100 4588 spoolsv.exe spoolsv.exe PID 1204 set thread context of 2148 1204 spoolsv.exe spoolsv.exe PID 3612 set thread context of 4732 3612 explorer.exe explorer.exe PID 4492 set thread context of 864 4492 spoolsv.exe spoolsv.exe PID 2368 set thread context of 3192 2368 spoolsv.exe spoolsv.exe PID 1916 set thread context of 4016 1916 spoolsv.exe spoolsv.exe PID 732 set thread context of 4496 732 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exea0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exeexplorer.exepid process 4944 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe 4944 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4360 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4944 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe 4944 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 4360 explorer.exe 3832 spoolsv.exe 3832 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 4636 spoolsv.exe 4636 spoolsv.exe 2252 spoolsv.exe 2252 spoolsv.exe 1540 spoolsv.exe 1540 spoolsv.exe 3288 spoolsv.exe 3288 spoolsv.exe 2768 spoolsv.exe 2768 spoolsv.exe 948 spoolsv.exe 948 spoolsv.exe 832 spoolsv.exe 832 spoolsv.exe 4180 spoolsv.exe 4180 spoolsv.exe 5056 spoolsv.exe 5056 spoolsv.exe 4444 spoolsv.exe 4444 spoolsv.exe 5036 spoolsv.exe 5036 spoolsv.exe 2916 spoolsv.exe 2916 spoolsv.exe 3504 spoolsv.exe 3504 spoolsv.exe 1864 spoolsv.exe 1864 spoolsv.exe 2620 spoolsv.exe 2620 spoolsv.exe 5108 spoolsv.exe 5108 spoolsv.exe 1372 spoolsv.exe 1372 spoolsv.exe 4664 spoolsv.exe 4664 spoolsv.exe 636 spoolsv.exe 636 spoolsv.exe 3756 spoolsv.exe 3756 spoolsv.exe 3888 spoolsv.exe 3888 spoolsv.exe 1716 spoolsv.exe 1716 spoolsv.exe 4044 spoolsv.exe 4044 spoolsv.exe 3456 spoolsv.exe 3456 spoolsv.exe 4876 spoolsv.exe 4876 spoolsv.exe 3688 spoolsv.exe 3688 spoolsv.exe 4092 spoolsv.exe 4092 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exea0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 336 wrote to memory of 3988 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe splwow64.exe PID 336 wrote to memory of 3988 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe splwow64.exe PID 336 wrote to memory of 4944 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe PID 336 wrote to memory of 4944 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe PID 336 wrote to memory of 4944 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe PID 336 wrote to memory of 4944 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe PID 336 wrote to memory of 4944 336 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe PID 4944 wrote to memory of 1628 4944 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe explorer.exe PID 4944 wrote to memory of 1628 4944 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe explorer.exe PID 4944 wrote to memory of 1628 4944 a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe explorer.exe PID 1628 wrote to memory of 4360 1628 explorer.exe explorer.exe PID 1628 wrote to memory of 4360 1628 explorer.exe explorer.exe PID 1628 wrote to memory of 4360 1628 explorer.exe explorer.exe PID 1628 wrote to memory of 4360 1628 explorer.exe explorer.exe PID 1628 wrote to memory of 4360 1628 explorer.exe explorer.exe PID 4360 wrote to memory of 3508 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3508 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3508 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4972 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4972 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4972 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 336 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 336 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 336 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3344 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3344 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3344 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1212 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1212 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1212 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4164 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4164 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4164 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1652 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1652 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1652 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 992 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 992 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 992 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4388 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4388 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4388 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4224 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4224 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 4224 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1356 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1356 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 1356 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 2488 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 2488 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 2488 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 2644 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 2644 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 2644 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3356 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3356 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3356 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 856 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 856 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 856 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3328 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3328 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3328 4360 explorer.exe spoolsv.exe PID 4360 wrote to memory of 3308 4360 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0edb9a9171e684ba98a2c1e97d0d987_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3508 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3832 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1044 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3924
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1460 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:336 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2252 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4164 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2768 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2684 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4444 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4116 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:856 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1864 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3480 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4548
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1796 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:636 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1904 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4292
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3888 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1716 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4872 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4044 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1576 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3200
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4092 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2460 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:620
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2296
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3612 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4732
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1448 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2212
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:732 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4496
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4128
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2496
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2448
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1364
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1468 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1992
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3280 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3452
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1204 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2148
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2124
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:2368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4016
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2508
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:448 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1072 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3244 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3684 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1720 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3908 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5f23a9bc3ed0df7e37420b1eed5cee8ec
SHA183e7084040b1e887254fa1b6519c78402d02b84c
SHA25660ac71a8ed03476449c6adf93c0fadace25d677a19a5fe4dd73532d89f19aeaf
SHA5124d3983a5cf3713e6036dcea7a859b2f67265e79dc44c2676d7694fdae73969fa9cd5fcaa0d8d0ef3a499358c133104aa4bce62005c0d33514a2896555f498088
-
Filesize
2.2MB
MD515c79dafecac6465e4d23d23d0241394
SHA192477833f74b6f289389ff592aaf9e68b15b9f25
SHA256267b844c1fff4482d7c650be2dc0b16718855071b45e58cdd9a0acde8fc49de0
SHA512b18eb62f07ef555dc88687805f0a461132f7626bc6d4a06360f66c4ce86e8fe6a36bf0e55657f73be7ee0d128962ecef6f3589b33e14bdbb4426cc905fe08d5b