Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 14:06
Behavioral task
behavioral1
Sample
a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0ef26847a620b4f1ae11ce35648ec18
-
SHA1
86e7db0df28c69834911f38b36408435581104be
-
SHA256
bb22693c250aea07973138fa94e156b3997cd6b5e4af0f329c0c23bd736ed43f
-
SHA512
d5bbf2196796cef946b583faaee1a1a45176d556de8a101551dfa83c1f5a8783a83cc2c8685f0f8749428e0a966bac58df4ad14d6c51f3d5edf58254c71a4dbe
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZB:0UzeyQMS4DqodCnoe+iitjWwwV
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exepid process 2236 explorer.exe 4636 explorer.exe 1896 spoolsv.exe 4792 spoolsv.exe 4472 spoolsv.exe 4452 spoolsv.exe 4380 spoolsv.exe 5048 spoolsv.exe 4896 spoolsv.exe 3916 spoolsv.exe 4704 spoolsv.exe 3592 spoolsv.exe 4200 spoolsv.exe 3392 spoolsv.exe 5008 spoolsv.exe 2088 spoolsv.exe 1540 spoolsv.exe 5076 spoolsv.exe 2076 spoolsv.exe 4996 spoolsv.exe 2716 spoolsv.exe 5064 spoolsv.exe 1952 spoolsv.exe 4400 spoolsv.exe 636 spoolsv.exe 1576 spoolsv.exe 724 spoolsv.exe 2144 spoolsv.exe 4540 spoolsv.exe 1160 spoolsv.exe 2028 spoolsv.exe 1232 spoolsv.exe 4508 spoolsv.exe 3440 spoolsv.exe 3628 spoolsv.exe 2444 spoolsv.exe 4944 spoolsv.exe 832 spoolsv.exe 3868 explorer.exe 2732 spoolsv.exe 3244 spoolsv.exe 1040 spoolsv.exe 3844 spoolsv.exe 4504 spoolsv.exe 1892 spoolsv.exe 2372 spoolsv.exe 4092 spoolsv.exe 3488 explorer.exe 4336 spoolsv.exe 2268 spoolsv.exe 808 spoolsv.exe 1580 spoolsv.exe 2584 spoolsv.exe 2720 spoolsv.exe 4624 spoolsv.exe 3664 spoolsv.exe 3408 spoolsv.exe 3604 spoolsv.exe 3908 spoolsv.exe 5068 spoolsv.exe 1632 explorer.exe 4728 spoolsv.exe 4964 spoolsv.exe 3336 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 59 IoCs
Processes:
a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 4648 set thread context of 1692 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe PID 2236 set thread context of 4636 2236 explorer.exe explorer.exe PID 1896 set thread context of 832 1896 spoolsv.exe spoolsv.exe PID 4792 set thread context of 2732 4792 spoolsv.exe spoolsv.exe PID 4472 set thread context of 1040 4472 spoolsv.exe spoolsv.exe PID 4452 set thread context of 3844 4452 spoolsv.exe spoolsv.exe PID 4380 set thread context of 4504 4380 spoolsv.exe spoolsv.exe PID 5048 set thread context of 1892 5048 spoolsv.exe spoolsv.exe PID 4896 set thread context of 2372 4896 spoolsv.exe spoolsv.exe PID 3916 set thread context of 4092 3916 spoolsv.exe spoolsv.exe PID 4704 set thread context of 4336 4704 spoolsv.exe spoolsv.exe PID 3592 set thread context of 808 3592 spoolsv.exe spoolsv.exe PID 4200 set thread context of 1580 4200 spoolsv.exe spoolsv.exe PID 3392 set thread context of 2584 3392 spoolsv.exe spoolsv.exe PID 5008 set thread context of 2720 5008 spoolsv.exe spoolsv.exe PID 2088 set thread context of 4624 2088 spoolsv.exe spoolsv.exe PID 1540 set thread context of 3664 1540 spoolsv.exe spoolsv.exe PID 5076 set thread context of 3408 5076 spoolsv.exe spoolsv.exe PID 2076 set thread context of 3604 2076 spoolsv.exe spoolsv.exe PID 4996 set thread context of 5068 4996 spoolsv.exe spoolsv.exe PID 2716 set thread context of 4728 2716 spoolsv.exe spoolsv.exe PID 5064 set thread context of 4964 5064 spoolsv.exe spoolsv.exe PID 1952 set thread context of 3336 1952 spoolsv.exe spoolsv.exe PID 4400 set thread context of 3944 4400 spoolsv.exe spoolsv.exe PID 636 set thread context of 1940 636 spoolsv.exe spoolsv.exe PID 1576 set thread context of 3020 1576 spoolsv.exe spoolsv.exe PID 724 set thread context of 3884 724 spoolsv.exe spoolsv.exe PID 2144 set thread context of 4752 2144 spoolsv.exe spoolsv.exe PID 4540 set thread context of 1696 4540 spoolsv.exe spoolsv.exe PID 1160 set thread context of 2068 1160 spoolsv.exe spoolsv.exe PID 2028 set thread context of 2748 2028 spoolsv.exe spoolsv.exe PID 1232 set thread context of 5000 1232 spoolsv.exe spoolsv.exe PID 4508 set thread context of 4440 4508 spoolsv.exe spoolsv.exe PID 3440 set thread context of 1664 3440 spoolsv.exe spoolsv.exe PID 3628 set thread context of 916 3628 spoolsv.exe spoolsv.exe PID 2444 set thread context of 2240 2444 spoolsv.exe spoolsv.exe PID 4944 set thread context of 4424 4944 spoolsv.exe spoolsv.exe PID 3868 set thread context of 1144 3868 explorer.exe explorer.exe PID 3244 set thread context of 4776 3244 spoolsv.exe spoolsv.exe PID 3488 set thread context of 3632 3488 explorer.exe explorer.exe PID 2268 set thread context of 4344 2268 spoolsv.exe spoolsv.exe PID 3908 set thread context of 2788 3908 spoolsv.exe spoolsv.exe PID 1632 set thread context of 1456 1632 explorer.exe explorer.exe PID 4308 set thread context of 3956 4308 spoolsv.exe spoolsv.exe PID 232 set thread context of 3088 232 explorer.exe explorer.exe PID 2692 set thread context of 2020 2692 spoolsv.exe spoolsv.exe PID 3032 set thread context of 3164 3032 explorer.exe explorer.exe PID 3424 set thread context of 1072 3424 spoolsv.exe spoolsv.exe PID 4324 set thread context of 1932 4324 explorer.exe explorer.exe PID 3652 set thread context of 4700 3652 spoolsv.exe spoolsv.exe PID 1496 set thread context of 3452 1496 spoolsv.exe spoolsv.exe PID 3240 set thread context of 5032 3240 explorer.exe explorer.exe PID 5028 set thread context of 4316 5028 spoolsv.exe spoolsv.exe PID 2772 set thread context of 1444 2772 spoolsv.exe spoolsv.exe PID 3340 set thread context of 4304 3340 spoolsv.exe spoolsv.exe PID 3524 set thread context of 4488 3524 spoolsv.exe spoolsv.exe PID 3168 set thread context of 1716 3168 spoolsv.exe spoolsv.exe PID 1864 set thread context of 2292 1864 explorer.exe explorer.exe PID 2356 set thread context of 4284 2356 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exeexplorer.exepid process 1692 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe 1692 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4636 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1692 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe 1692 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 832 spoolsv.exe 832 spoolsv.exe 2732 spoolsv.exe 2732 spoolsv.exe 1040 spoolsv.exe 1040 spoolsv.exe 3844 spoolsv.exe 3844 spoolsv.exe 4504 spoolsv.exe 4504 spoolsv.exe 1892 spoolsv.exe 1892 spoolsv.exe 2372 spoolsv.exe 2372 spoolsv.exe 4092 spoolsv.exe 4092 spoolsv.exe 4336 spoolsv.exe 4336 spoolsv.exe 808 spoolsv.exe 808 spoolsv.exe 1580 spoolsv.exe 1580 spoolsv.exe 2584 spoolsv.exe 2584 spoolsv.exe 2720 spoolsv.exe 2720 spoolsv.exe 4624 spoolsv.exe 4624 spoolsv.exe 3664 spoolsv.exe 3664 spoolsv.exe 3408 spoolsv.exe 3408 spoolsv.exe 3604 spoolsv.exe 3604 spoolsv.exe 5068 spoolsv.exe 5068 spoolsv.exe 4728 spoolsv.exe 4728 spoolsv.exe 4964 spoolsv.exe 4964 spoolsv.exe 3336 spoolsv.exe 3336 spoolsv.exe 3944 spoolsv.exe 3944 spoolsv.exe 1940 spoolsv.exe 1940 spoolsv.exe 3020 spoolsv.exe 3020 spoolsv.exe 3884 spoolsv.exe 3884 spoolsv.exe 4752 spoolsv.exe 4752 spoolsv.exe 1696 spoolsv.exe 1696 spoolsv.exe 2068 spoolsv.exe 2068 spoolsv.exe 2748 spoolsv.exe 2748 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exea0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4648 wrote to memory of 5116 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe splwow64.exe PID 4648 wrote to memory of 5116 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe splwow64.exe PID 4648 wrote to memory of 1692 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe PID 4648 wrote to memory of 1692 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe PID 4648 wrote to memory of 1692 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe PID 4648 wrote to memory of 1692 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe PID 4648 wrote to memory of 1692 4648 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe PID 1692 wrote to memory of 2236 1692 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe explorer.exe PID 1692 wrote to memory of 2236 1692 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe explorer.exe PID 1692 wrote to memory of 2236 1692 a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe explorer.exe PID 2236 wrote to memory of 4636 2236 explorer.exe explorer.exe PID 2236 wrote to memory of 4636 2236 explorer.exe explorer.exe PID 2236 wrote to memory of 4636 2236 explorer.exe explorer.exe PID 2236 wrote to memory of 4636 2236 explorer.exe explorer.exe PID 2236 wrote to memory of 4636 2236 explorer.exe explorer.exe PID 4636 wrote to memory of 1896 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 1896 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 1896 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4792 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4792 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4792 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4472 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4472 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4472 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4452 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4452 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4452 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4380 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4380 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4380 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5048 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5048 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5048 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4896 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4896 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4896 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3916 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3916 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3916 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4704 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4704 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4704 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3592 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3592 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3592 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4200 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4200 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 4200 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3392 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3392 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 3392 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5008 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5008 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5008 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 2088 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 2088 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 2088 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 1540 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 1540 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 1540 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5076 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5076 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 5076 4636 explorer.exe spoolsv.exe PID 4636 wrote to memory of 2076 4636 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0ef26847a620b4f1ae11ce35648ec18_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3868 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1144
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4452 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4092 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3488 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3408 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4996 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5068 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1632 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1456
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4964 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3944 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:636 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1940 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3020 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:232 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3088
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:724 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1696 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5000
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:3032 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4508 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1664
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:916
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2240
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4324 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4424
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3240 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4776
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:1864 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2292
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2268 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4344
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4968
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2788
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3956
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:2692 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2020
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1136
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1072
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3452
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4316
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1444
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1404 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3340 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4304
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3524 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4488
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1716
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:224 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:752
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1276 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4016
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1936 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3672 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4416 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3564 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4824
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5eb6925e76c55a552bb00c0aff6a3dda3
SHA1ca48d7f52b6f851e07a79fac971b1be692230308
SHA2569b1a4e90e299ec790661893cc78ec8546279abb5cbb8c5d61f80d35684400efa
SHA512e516a4a755dbc76c75740198bd2fb92538f9c77c60b82a5afe4612da4cc5509aa87eec7c2e85ac7dc77ec1f7da4a2fee10e70074daf363eecf94419557338568
-
Filesize
2.2MB
MD5ec2b9f2cfbcf3d6dc837b729f76059bc
SHA18a4d356a93095a0b632908d045a56cdefe213841
SHA256c86a26e4a3f770d91cd4959b456f5703998900464d16d79340e58943efd8cabc
SHA51239de1d467138f7a6f9d9c9d91dbedc615a7f710d82bab6698ffaa21c0e026bec242224eeddaf90bc18a58d659de48fda5d796b93e2e98b4663dd3dd1bef92919