Analysis
-
max time kernel
145s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 15:38
Behavioral task
behavioral1
Sample
a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a12e84111ca02ce3dc6e2280799accc6
-
SHA1
bc66cb16ed026ddf96941e96f98f0897cb65d616
-
SHA256
df23d3588be59fd0a776959081b8212fd3dc632a14ecf5fc7ac4bd247aa5336d
-
SHA512
4823d1d9e4d67b4ad21dfb2c791c93d0ab3debd01134c097f8025fd1c5e912662482a440e333c00e91e90d131adc4db57f580131c4adcce0056093ccb6309a85
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZX:0UzeyQMS4DqodCnoe+iitjWwwr
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 4144 explorer.exe 4140 explorer.exe 1144 spoolsv.exe 1568 spoolsv.exe 1908 spoolsv.exe 2540 spoolsv.exe 2756 spoolsv.exe 4088 spoolsv.exe 1752 spoolsv.exe 736 spoolsv.exe 4492 spoolsv.exe 5064 spoolsv.exe 3956 spoolsv.exe 3560 spoolsv.exe 2144 spoolsv.exe 4376 spoolsv.exe 3968 spoolsv.exe 3024 spoolsv.exe 3936 spoolsv.exe 1492 spoolsv.exe 1060 spoolsv.exe 1744 spoolsv.exe 368 spoolsv.exe 2112 spoolsv.exe 408 spoolsv.exe 3664 spoolsv.exe 5076 spoolsv.exe 4776 spoolsv.exe 5056 spoolsv.exe 1328 spoolsv.exe 680 spoolsv.exe 640 spoolsv.exe 1892 spoolsv.exe 916 spoolsv.exe 2596 spoolsv.exe 1020 spoolsv.exe 212 spoolsv.exe 3484 explorer.exe 3536 spoolsv.exe 1416 spoolsv.exe 4456 spoolsv.exe 2556 spoolsv.exe 3036 spoolsv.exe 544 spoolsv.exe 4152 spoolsv.exe 3252 explorer.exe 400 spoolsv.exe 1080 spoolsv.exe 3320 spoolsv.exe 2192 spoolsv.exe 4832 spoolsv.exe 4300 spoolsv.exe 4472 spoolsv.exe 2268 explorer.exe 384 spoolsv.exe 4268 spoolsv.exe 3392 spoolsv.exe 2060 spoolsv.exe 1432 spoolsv.exe 944 spoolsv.exe 4348 spoolsv.exe 4168 spoolsv.exe 1404 explorer.exe 4840 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 58 IoCs
Processes:
a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription pid process target process PID 2976 set thread context of 1796 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe PID 4144 set thread context of 4140 4144 explorer.exe explorer.exe PID 1144 set thread context of 212 1144 spoolsv.exe spoolsv.exe PID 1568 set thread context of 3536 1568 spoolsv.exe spoolsv.exe PID 1908 set thread context of 1416 1908 spoolsv.exe spoolsv.exe PID 2540 set thread context of 4456 2540 spoolsv.exe spoolsv.exe PID 2756 set thread context of 3036 2756 spoolsv.exe spoolsv.exe PID 4088 set thread context of 544 4088 spoolsv.exe spoolsv.exe PID 1752 set thread context of 4152 1752 spoolsv.exe spoolsv.exe PID 736 set thread context of 400 736 spoolsv.exe spoolsv.exe PID 4492 set thread context of 3320 4492 spoolsv.exe spoolsv.exe PID 5064 set thread context of 2192 5064 spoolsv.exe spoolsv.exe PID 3956 set thread context of 4832 3956 spoolsv.exe spoolsv.exe PID 3560 set thread context of 4300 3560 spoolsv.exe spoolsv.exe PID 2144 set thread context of 4472 2144 spoolsv.exe spoolsv.exe PID 4376 set thread context of 4268 4376 spoolsv.exe spoolsv.exe PID 3968 set thread context of 3392 3968 spoolsv.exe spoolsv.exe PID 3024 set thread context of 2060 3024 spoolsv.exe spoolsv.exe PID 3936 set thread context of 1432 3936 spoolsv.exe spoolsv.exe PID 1492 set thread context of 944 1492 spoolsv.exe spoolsv.exe PID 1060 set thread context of 4348 1060 spoolsv.exe spoolsv.exe PID 1744 set thread context of 4168 1744 spoolsv.exe spoolsv.exe PID 368 set thread context of 2508 368 spoolsv.exe spoolsv.exe PID 2112 set thread context of 3576 2112 spoolsv.exe spoolsv.exe PID 408 set thread context of 2220 408 spoolsv.exe spoolsv.exe PID 3664 set thread context of 3924 3664 spoolsv.exe spoolsv.exe PID 5076 set thread context of 8 5076 spoolsv.exe spoolsv.exe PID 4776 set thread context of 1440 4776 spoolsv.exe spoolsv.exe PID 5056 set thread context of 5024 5056 spoolsv.exe spoolsv.exe PID 1328 set thread context of 3920 1328 spoolsv.exe spoolsv.exe PID 680 set thread context of 3488 680 spoolsv.exe spoolsv.exe PID 640 set thread context of 628 640 spoolsv.exe spoolsv.exe PID 1892 set thread context of 4528 1892 spoolsv.exe spoolsv.exe PID 916 set thread context of 3680 916 spoolsv.exe spoolsv.exe PID 2596 set thread context of 4460 2596 spoolsv.exe spoolsv.exe PID 1020 set thread context of 3644 1020 spoolsv.exe spoolsv.exe PID 3484 set thread context of 2976 3484 explorer.exe explorer.exe PID 2556 set thread context of 824 2556 spoolsv.exe spoolsv.exe PID 3252 set thread context of 2552 3252 explorer.exe explorer.exe PID 1080 set thread context of 3028 1080 spoolsv.exe spoolsv.exe PID 2268 set thread context of 2352 2268 explorer.exe explorer.exe PID 384 set thread context of 2008 384 spoolsv.exe spoolsv.exe PID 1404 set thread context of 2848 1404 explorer.exe explorer.exe PID 4840 set thread context of 744 4840 spoolsv.exe spoolsv.exe PID 5004 set thread context of 1708 5004 explorer.exe explorer.exe PID 3296 set thread context of 716 3296 spoolsv.exe spoolsv.exe PID 4244 set thread context of 2700 4244 explorer.exe explorer.exe PID 1044 set thread context of 2500 1044 spoolsv.exe spoolsv.exe PID 2256 set thread context of 4272 2256 spoolsv.exe spoolsv.exe PID 1612 set thread context of 1028 1612 spoolsv.exe spoolsv.exe PID 1948 set thread context of 2752 1948 spoolsv.exe spoolsv.exe PID 676 set thread context of 4428 676 spoolsv.exe spoolsv.exe PID 3576 set thread context of 720 3576 explorer.exe explorer.exe PID 3056 set thread context of 672 3056 spoolsv.exe spoolsv.exe PID 4848 set thread context of 4368 4848 spoolsv.exe spoolsv.exe PID 4188 set thread context of 2892 4188 spoolsv.exe spoolsv.exe PID 3144 set thread context of 4804 3144 spoolsv.exe spoolsv.exe PID 2336 set thread context of 396 2336 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exeexplorer.exepid process 1796 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe 1796 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4140 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1796 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe 1796 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 212 spoolsv.exe 212 spoolsv.exe 3536 spoolsv.exe 3536 spoolsv.exe 1416 spoolsv.exe 1416 spoolsv.exe 4456 spoolsv.exe 4456 spoolsv.exe 3036 spoolsv.exe 3036 spoolsv.exe 544 spoolsv.exe 544 spoolsv.exe 4152 spoolsv.exe 4152 spoolsv.exe 400 spoolsv.exe 400 spoolsv.exe 3320 spoolsv.exe 3320 spoolsv.exe 2192 spoolsv.exe 2192 spoolsv.exe 4832 spoolsv.exe 4832 spoolsv.exe 4300 spoolsv.exe 4300 spoolsv.exe 4472 spoolsv.exe 4472 spoolsv.exe 4268 spoolsv.exe 4268 spoolsv.exe 3392 spoolsv.exe 3392 spoolsv.exe 2060 spoolsv.exe 2060 spoolsv.exe 1432 spoolsv.exe 1432 spoolsv.exe 944 spoolsv.exe 944 spoolsv.exe 4348 spoolsv.exe 4348 spoolsv.exe 4168 spoolsv.exe 4168 spoolsv.exe 2508 spoolsv.exe 2508 spoolsv.exe 3576 spoolsv.exe 3576 spoolsv.exe 2220 spoolsv.exe 2220 spoolsv.exe 3924 spoolsv.exe 3924 spoolsv.exe 8 spoolsv.exe 8 spoolsv.exe 1440 spoolsv.exe 1440 spoolsv.exe 5024 spoolsv.exe 5024 spoolsv.exe 3920 spoolsv.exe 3920 spoolsv.exe 3488 spoolsv.exe 3488 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exea12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 2976 wrote to memory of 3952 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe splwow64.exe PID 2976 wrote to memory of 3952 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe splwow64.exe PID 2976 wrote to memory of 1796 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe PID 2976 wrote to memory of 1796 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe PID 2976 wrote to memory of 1796 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe PID 2976 wrote to memory of 1796 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe PID 2976 wrote to memory of 1796 2976 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe PID 1796 wrote to memory of 4144 1796 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe explorer.exe PID 1796 wrote to memory of 4144 1796 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe explorer.exe PID 1796 wrote to memory of 4144 1796 a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe explorer.exe PID 4144 wrote to memory of 4140 4144 explorer.exe explorer.exe PID 4144 wrote to memory of 4140 4144 explorer.exe explorer.exe PID 4144 wrote to memory of 4140 4144 explorer.exe explorer.exe PID 4144 wrote to memory of 4140 4144 explorer.exe explorer.exe PID 4144 wrote to memory of 4140 4144 explorer.exe explorer.exe PID 4140 wrote to memory of 1144 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1144 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1144 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1568 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1568 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1568 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1908 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1908 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1908 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2540 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2540 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2540 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2756 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2756 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2756 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4088 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4088 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4088 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1752 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1752 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 1752 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 736 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 736 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 736 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4492 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4492 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4492 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 5064 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 5064 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 5064 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3956 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3956 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3956 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3560 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3560 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3560 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2144 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2144 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 2144 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4376 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4376 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 4376 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3968 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3968 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3968 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3024 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3024 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3024 4140 explorer.exe spoolsv.exe PID 4140 wrote to memory of 3936 4140 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a12e84111ca02ce3dc6e2280799accc6_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:212 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3484 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1416 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4152 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3252 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:400 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3320 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3956 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4300 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4472 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2268 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4376 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1432 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:944 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1060 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1744 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1404 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:368 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2508 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2112 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5076 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:8 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4776 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1440 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:5004 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1708
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5056 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5024 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:628
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1892 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4528
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4244 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3644
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3576 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:720
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:824
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2336 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3028
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1792 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1824
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2008
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:744
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:716
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1436 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2500
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4272
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1028
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1948 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:676 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4428
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3056 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:672
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4368
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3420
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4188 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4804
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4316
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3048
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3508
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1392
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4956
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5052
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3248
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1464 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2404 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4560 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2236 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD55750adf02c9480245f1120e0b5a8674a
SHA10708bee4981eb5382432b9c077cfc284924443a6
SHA256617125f18a7e0eacde66d509e62580166dee9e4760fd9b576276d5e446f64364
SHA51248c84c57f81e74fc1e63067dfbb65e163640631614de9a51a5f6cecff7d83ddcf7095dcd6aaa3677a4b602eb38500adf253d8b1a3fa80a250152041f9310eca3
-
Filesize
2.2MB
MD515bb643e2247951938aae6225ba18450
SHA1822028e3ee71c8562e09d28a58e651158786b336
SHA256eec25b4bdf38fe18da01b82a1c3b8ae0eea3becf0952536385aa242613f689b7
SHA51214819648cf21668e1dd30566e0deca6901d23e89f00b8ce4b24270f1d946d452eecf168308e129c1da4bfa4422a43d039836cecbf3126babaf2601cc7fa4b67f