Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 14:23
Behavioral task
behavioral1
Sample
a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a0fbc46020b182435ba24e2049cc051e
-
SHA1
3f683013ea040c0fb77c140af6cf2293fc6884c2
-
SHA256
7eca9762c28137be5df5d835364c97800ef19dfaf1561ca1eb06dad557e1e1dd
-
SHA512
97d39827ae2143da737517842b42bc94bb5118914c4bd8dba81681db682b2b7693ba21eb67573bdfa9a6531bcb0f416fae01b57c419b41d3bf0d99126f3acb5b
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZk:0UzeyQMS4DqodCnoe+iitjWww4
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 5016 explorer.exe 4792 explorer.exe 1700 spoolsv.exe 4432 spoolsv.exe 3856 spoolsv.exe 1252 spoolsv.exe 4768 spoolsv.exe 4380 spoolsv.exe 4908 spoolsv.exe 4476 spoolsv.exe 4024 spoolsv.exe 3612 spoolsv.exe 3000 spoolsv.exe 1972 spoolsv.exe 3792 spoolsv.exe 3376 spoolsv.exe 548 spoolsv.exe 1956 spoolsv.exe 3820 spoolsv.exe 4736 spoolsv.exe 2736 spoolsv.exe 1292 spoolsv.exe 4920 spoolsv.exe 4616 spoolsv.exe 1212 spoolsv.exe 4532 spoolsv.exe 4428 spoolsv.exe 3692 spoolsv.exe 2396 spoolsv.exe 3392 spoolsv.exe 5008 spoolsv.exe 3228 spoolsv.exe 4088 spoolsv.exe 456 spoolsv.exe 4292 explorer.exe 4940 spoolsv.exe 2540 spoolsv.exe 3040 spoolsv.exe 452 spoolsv.exe 3176 spoolsv.exe 1916 spoolsv.exe 2556 spoolsv.exe 376 explorer.exe 4076 spoolsv.exe 2956 spoolsv.exe 3344 spoolsv.exe 2172 spoolsv.exe 212 spoolsv.exe 4828 spoolsv.exe 748 spoolsv.exe 2668 explorer.exe 3180 spoolsv.exe 3620 spoolsv.exe 1484 spoolsv.exe 4816 spoolsv.exe 3440 spoolsv.exe 4596 spoolsv.exe 4936 spoolsv.exe 3136 explorer.exe 832 spoolsv.exe 4544 spoolsv.exe 4052 spoolsv.exe 556 spoolsv.exe 3920 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 56 IoCs
Processes:
a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 3344 set thread context of 1828 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe PID 5016 set thread context of 4792 5016 explorer.exe explorer.exe PID 1700 set thread context of 456 1700 spoolsv.exe spoolsv.exe PID 4432 set thread context of 4940 4432 spoolsv.exe spoolsv.exe PID 3856 set thread context of 3040 3856 spoolsv.exe spoolsv.exe PID 1252 set thread context of 452 1252 spoolsv.exe spoolsv.exe PID 4768 set thread context of 3176 4768 spoolsv.exe spoolsv.exe PID 4380 set thread context of 1916 4380 spoolsv.exe spoolsv.exe PID 4908 set thread context of 2556 4908 spoolsv.exe spoolsv.exe PID 4476 set thread context of 2956 4476 spoolsv.exe spoolsv.exe PID 4024 set thread context of 3344 4024 spoolsv.exe spoolsv.exe PID 3612 set thread context of 2172 3612 spoolsv.exe spoolsv.exe PID 3000 set thread context of 212 3000 spoolsv.exe spoolsv.exe PID 1972 set thread context of 748 1972 spoolsv.exe spoolsv.exe PID 3792 set thread context of 3180 3792 spoolsv.exe spoolsv.exe PID 3376 set thread context of 3620 3376 spoolsv.exe spoolsv.exe PID 548 set thread context of 1484 548 spoolsv.exe spoolsv.exe PID 1956 set thread context of 4816 1956 spoolsv.exe spoolsv.exe PID 3820 set thread context of 4596 3820 spoolsv.exe spoolsv.exe PID 4736 set thread context of 4936 4736 spoolsv.exe spoolsv.exe PID 2736 set thread context of 832 2736 spoolsv.exe spoolsv.exe PID 1292 set thread context of 4544 1292 spoolsv.exe spoolsv.exe PID 4920 set thread context of 4052 4920 spoolsv.exe spoolsv.exe PID 4616 set thread context of 556 4616 spoolsv.exe spoolsv.exe PID 1212 set thread context of 984 1212 spoolsv.exe spoolsv.exe PID 4532 set thread context of 3564 4532 spoolsv.exe spoolsv.exe PID 4428 set thread context of 4216 4428 spoolsv.exe spoolsv.exe PID 3692 set thread context of 3116 3692 spoolsv.exe spoolsv.exe PID 2396 set thread context of 3208 2396 spoolsv.exe spoolsv.exe PID 3392 set thread context of 3224 3392 spoolsv.exe spoolsv.exe PID 5008 set thread context of 4892 5008 spoolsv.exe spoolsv.exe PID 3228 set thread context of 4468 3228 spoolsv.exe spoolsv.exe PID 4088 set thread context of 684 4088 spoolsv.exe spoolsv.exe PID 4292 set thread context of 876 4292 explorer.exe explorer.exe PID 2540 set thread context of 4108 2540 spoolsv.exe spoolsv.exe PID 376 set thread context of 1408 376 explorer.exe explorer.exe PID 4076 set thread context of 2732 4076 spoolsv.exe spoolsv.exe PID 4828 set thread context of 1864 4828 spoolsv.exe spoolsv.exe PID 2668 set thread context of 2028 2668 explorer.exe explorer.exe PID 3440 set thread context of 2344 3440 spoolsv.exe spoolsv.exe PID 3136 set thread context of 4064 3136 explorer.exe explorer.exe PID 3920 set thread context of 5040 3920 spoolsv.exe spoolsv.exe PID 2436 set thread context of 1192 2436 explorer.exe explorer.exe PID 4020 set thread context of 348 4020 spoolsv.exe spoolsv.exe PID 3824 set thread context of 1204 3824 explorer.exe explorer.exe PID 1000 set thread context of 2544 1000 spoolsv.exe spoolsv.exe PID 4404 set thread context of 3884 4404 spoolsv.exe spoolsv.exe PID 2464 set thread context of 1308 2464 explorer.exe explorer.exe PID 3700 set thread context of 1984 3700 spoolsv.exe spoolsv.exe PID 3960 set thread context of 3096 3960 spoolsv.exe spoolsv.exe PID 4256 set thread context of 1752 4256 spoolsv.exe spoolsv.exe PID 4988 set thread context of 4876 4988 explorer.exe explorer.exe PID 2152 set thread context of 180 2152 spoolsv.exe spoolsv.exe PID 1684 set thread context of 3892 1684 spoolsv.exe spoolsv.exe PID 5064 set thread context of 4932 5064 explorer.exe explorer.exe PID 4980 set thread context of 4408 4980 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exea0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exeexplorer.exepid process 1828 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe 1828 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4792 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1828 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe 1828 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 4792 explorer.exe 456 spoolsv.exe 456 spoolsv.exe 4940 spoolsv.exe 4940 spoolsv.exe 3040 spoolsv.exe 3040 spoolsv.exe 452 spoolsv.exe 452 spoolsv.exe 3176 spoolsv.exe 3176 spoolsv.exe 1916 spoolsv.exe 1916 spoolsv.exe 2556 spoolsv.exe 2556 spoolsv.exe 2956 spoolsv.exe 2956 spoolsv.exe 3344 spoolsv.exe 3344 spoolsv.exe 2172 spoolsv.exe 2172 spoolsv.exe 212 spoolsv.exe 212 spoolsv.exe 748 spoolsv.exe 748 spoolsv.exe 3180 spoolsv.exe 3180 spoolsv.exe 3620 spoolsv.exe 3620 spoolsv.exe 1484 spoolsv.exe 1484 spoolsv.exe 4816 spoolsv.exe 4816 spoolsv.exe 4596 spoolsv.exe 4596 spoolsv.exe 4936 spoolsv.exe 4936 spoolsv.exe 832 spoolsv.exe 832 spoolsv.exe 4544 spoolsv.exe 4544 spoolsv.exe 4052 spoolsv.exe 4052 spoolsv.exe 556 spoolsv.exe 556 spoolsv.exe 984 spoolsv.exe 984 spoolsv.exe 3564 spoolsv.exe 3564 spoolsv.exe 4216 spoolsv.exe 4216 spoolsv.exe 3116 spoolsv.exe 3116 spoolsv.exe 3208 spoolsv.exe 3208 spoolsv.exe 3224 spoolsv.exe 3224 spoolsv.exe 4892 spoolsv.exe 4892 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exea0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 3344 wrote to memory of 208 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe splwow64.exe PID 3344 wrote to memory of 208 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe splwow64.exe PID 3344 wrote to memory of 1828 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe PID 3344 wrote to memory of 1828 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe PID 3344 wrote to memory of 1828 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe PID 3344 wrote to memory of 1828 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe PID 3344 wrote to memory of 1828 3344 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe PID 1828 wrote to memory of 5016 1828 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe explorer.exe PID 1828 wrote to memory of 5016 1828 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe explorer.exe PID 1828 wrote to memory of 5016 1828 a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe explorer.exe PID 5016 wrote to memory of 4792 5016 explorer.exe explorer.exe PID 5016 wrote to memory of 4792 5016 explorer.exe explorer.exe PID 5016 wrote to memory of 4792 5016 explorer.exe explorer.exe PID 5016 wrote to memory of 4792 5016 explorer.exe explorer.exe PID 5016 wrote to memory of 4792 5016 explorer.exe explorer.exe PID 4792 wrote to memory of 1700 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1700 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1700 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4432 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4432 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4432 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3856 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3856 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3856 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1252 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1252 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1252 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4768 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4768 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4768 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4380 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4380 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4380 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4908 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4908 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4908 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4476 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4476 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4476 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4024 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4024 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 4024 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3612 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3612 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3612 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3000 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3000 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3000 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1972 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1972 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1972 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3792 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3792 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3792 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3376 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3376 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3376 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 548 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 548 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 548 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1956 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1956 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 1956 4792 explorer.exe spoolsv.exe PID 4792 wrote to memory of 3820 4792 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0fbc46020b182435ba24e2049cc051e_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1700 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:456 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4292 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4940 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3856 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1252 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3176 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2556 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:376 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:212 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2668 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3376 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4816 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3820 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4596 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4936 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3136 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:984 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2436 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4532 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3564 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4428 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4216 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3692 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3116 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3208 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4892 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3824 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:684
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:2464 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1308
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4108
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4988 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2732
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4828 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1864
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3200
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2344
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2988 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5040
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4860 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:348
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3700 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3096
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3144 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:180
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3892
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1356
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4508 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4632 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3448 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4640 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4312
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2360 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3656 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4232
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5487ea4c7215fcdbac065a320a98cfb3a
SHA1593801c3d17884cdf055a262fb6a9e8276dba220
SHA2561e8b358c71e5fc64008cdab01feee17b191e2f84185214b99df255ab9bc62c0b
SHA512bee3916ace490b06d89253f7e4657b47ada36f33edc87aaceed6d470268e73f481b014ce8272cb872de8a8c591228057749e6e41538db2f307adbe7f13ad9f71
-
Filesize
2.2MB
MD5bd08759e0aa2cee4c6b96b483aa5d205
SHA1c4af030eea95e74b8a4ed51f6137e10fa168ec75
SHA256380339da498724695ee22c508ebb5bce2c7b09c313df70ee08d29588b8155f8b
SHA5121482a7f1efda2ee4deeebc3bce17c26a7cdcf4cf4f98d8919bc4a410dca9ea027ddcdb04f34b0ad4633f44b1b3d579f7ce53ad7591423415168b61b1cc4c4bab