Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 16:37
Behavioral task
behavioral1
Sample
a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a15c361900631755d1ffaa9562ca5884
-
SHA1
28fc8175a6dc5eaad58b0c755b7daf375fab3654
-
SHA256
142b8298ee424c59e74ff3381c94733e41a74d40059723dee4caa5bb608ed866
-
SHA512
51a724c0fd2b9bbcc8194f7e6d29252b9e0f5156a07ffc5ac1d16ef015cecd00fd54d2a6492eb298003d33ad8116d55f0589959a60dfdd5c0e0f074b737da252
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ8:0UzeyQMS4DqodCnoe+iitjWwwQ
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2468 explorer.exe 1568 explorer.exe 2476 spoolsv.exe 3308 spoolsv.exe 1756 spoolsv.exe 2644 spoolsv.exe 3500 spoolsv.exe 4688 spoolsv.exe 4920 spoolsv.exe 884 spoolsv.exe 4804 spoolsv.exe 3888 spoolsv.exe 4456 spoolsv.exe 404 spoolsv.exe 4488 spoolsv.exe 1544 spoolsv.exe 436 spoolsv.exe 5016 spoolsv.exe 324 spoolsv.exe 2680 spoolsv.exe 4896 spoolsv.exe 440 spoolsv.exe 564 spoolsv.exe 4840 spoolsv.exe 1324 spoolsv.exe 2192 spoolsv.exe 1656 spoolsv.exe 2908 spoolsv.exe 4604 spoolsv.exe 4736 spoolsv.exe 5208 spoolsv.exe 5548 spoolsv.exe 5612 spoolsv.exe 5668 explorer.exe 5728 spoolsv.exe 5812 spoolsv.exe 5896 spoolsv.exe 5140 spoolsv.exe 5268 spoolsv.exe 5320 spoolsv.exe 2168 explorer.exe 5748 spoolsv.exe 5852 spoolsv.exe 5128 spoolsv.exe 2108 spoolsv.exe 5404 spoolsv.exe 5892 explorer.exe 876 spoolsv.exe 5636 spoolsv.exe 4116 spoolsv.exe 6004 spoolsv.exe 5416 spoolsv.exe 5424 explorer.exe 5508 spoolsv.exe 5592 spoolsv.exe 5820 spoolsv.exe 6056 spoolsv.exe 5984 explorer.exe 3448 spoolsv.exe 6116 spoolsv.exe 2056 spoolsv.exe 2480 spoolsv.exe 5436 spoolsv.exe 5864 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 54 IoCs
Processes:
a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 5080 set thread context of 3488 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe PID 2468 set thread context of 1568 2468 explorer.exe explorer.exe PID 2476 set thread context of 5612 2476 spoolsv.exe spoolsv.exe PID 3308 set thread context of 5728 3308 spoolsv.exe spoolsv.exe PID 1756 set thread context of 5812 1756 spoolsv.exe spoolsv.exe PID 2644 set thread context of 5896 2644 spoolsv.exe spoolsv.exe PID 3500 set thread context of 5268 3500 spoolsv.exe spoolsv.exe PID 4688 set thread context of 5320 4688 spoolsv.exe spoolsv.exe PID 4920 set thread context of 5748 4920 spoolsv.exe spoolsv.exe PID 884 set thread context of 5852 884 spoolsv.exe spoolsv.exe PID 4804 set thread context of 5128 4804 spoolsv.exe spoolsv.exe PID 3888 set thread context of 5404 3888 spoolsv.exe spoolsv.exe PID 4456 set thread context of 876 4456 spoolsv.exe spoolsv.exe PID 404 set thread context of 5636 404 spoolsv.exe spoolsv.exe PID 4488 set thread context of 4116 4488 spoolsv.exe spoolsv.exe PID 1544 set thread context of 5416 1544 spoolsv.exe spoolsv.exe PID 436 set thread context of 5508 436 spoolsv.exe spoolsv.exe PID 5016 set thread context of 5592 5016 spoolsv.exe spoolsv.exe PID 324 set thread context of 6056 324 spoolsv.exe spoolsv.exe PID 2680 set thread context of 3448 2680 spoolsv.exe spoolsv.exe PID 4896 set thread context of 6116 4896 spoolsv.exe spoolsv.exe PID 440 set thread context of 2056 440 spoolsv.exe spoolsv.exe PID 564 set thread context of 5436 564 spoolsv.exe spoolsv.exe PID 4840 set thread context of 5864 4840 spoolsv.exe spoolsv.exe PID 1324 set thread context of 2896 1324 spoolsv.exe spoolsv.exe PID 2192 set thread context of 1560 2192 spoolsv.exe spoolsv.exe PID 1656 set thread context of 5224 1656 spoolsv.exe spoolsv.exe PID 2908 set thread context of 5264 2908 spoolsv.exe spoolsv.exe PID 4604 set thread context of 5780 4604 spoolsv.exe spoolsv.exe PID 4736 set thread context of 1000 4736 spoolsv.exe spoolsv.exe PID 5208 set thread context of 5572 5208 spoolsv.exe spoolsv.exe PID 5548 set thread context of 4336 5548 spoolsv.exe spoolsv.exe PID 5668 set thread context of 5212 5668 explorer.exe explorer.exe PID 5140 set thread context of 5496 5140 spoolsv.exe spoolsv.exe PID 2168 set thread context of 4396 2168 explorer.exe explorer.exe PID 2108 set thread context of 4760 2108 spoolsv.exe spoolsv.exe PID 5892 set thread context of 5528 5892 explorer.exe explorer.exe PID 6004 set thread context of 2892 6004 spoolsv.exe spoolsv.exe PID 5424 set thread context of 6112 5424 explorer.exe explorer.exe PID 5820 set thread context of 1904 5820 spoolsv.exe spoolsv.exe PID 5984 set thread context of 4884 5984 explorer.exe explorer.exe PID 2480 set thread context of 5764 2480 spoolsv.exe spoolsv.exe PID 5876 set thread context of 5828 5876 explorer.exe explorer.exe PID 5256 set thread context of 408 5256 spoolsv.exe spoolsv.exe PID 5700 set thread context of 3880 5700 explorer.exe explorer.exe PID 5740 set thread context of 4188 5740 spoolsv.exe spoolsv.exe PID 4172 set thread context of 4828 4172 spoolsv.exe spoolsv.exe PID 5516 set thread context of 1620 5516 explorer.exe explorer.exe PID 2844 set thread context of 5884 2844 spoolsv.exe spoolsv.exe PID 5628 set thread context of 2296 5628 spoolsv.exe spoolsv.exe PID 1216 set thread context of 5992 1216 explorer.exe explorer.exe PID 180 set thread context of 5308 180 spoolsv.exe spoolsv.exe PID 2784 set thread context of 3660 2784 spoolsv.exe spoolsv.exe PID 5296 set thread context of 4028 5296 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea15c361900631755d1ffaa9562ca5884_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exea15c361900631755d1ffaa9562ca5884_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exeexplorer.exepid process 3488 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe 3488 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1568 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3488 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe 3488 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 5612 spoolsv.exe 5612 spoolsv.exe 5728 spoolsv.exe 5728 spoolsv.exe 5812 spoolsv.exe 5812 spoolsv.exe 5896 spoolsv.exe 5896 spoolsv.exe 5268 spoolsv.exe 5268 spoolsv.exe 5320 spoolsv.exe 5320 spoolsv.exe 5748 spoolsv.exe 5748 spoolsv.exe 5852 spoolsv.exe 5852 spoolsv.exe 5128 spoolsv.exe 5128 spoolsv.exe 5404 spoolsv.exe 5404 spoolsv.exe 876 spoolsv.exe 876 spoolsv.exe 5636 spoolsv.exe 5636 spoolsv.exe 4116 spoolsv.exe 4116 spoolsv.exe 5416 spoolsv.exe 5416 spoolsv.exe 5508 spoolsv.exe 5508 spoolsv.exe 5592 spoolsv.exe 5592 spoolsv.exe 6056 spoolsv.exe 6056 spoolsv.exe 3448 spoolsv.exe 3448 spoolsv.exe 6116 spoolsv.exe 6116 spoolsv.exe 2056 spoolsv.exe 2056 spoolsv.exe 5436 spoolsv.exe 5436 spoolsv.exe 5864 spoolsv.exe 5864 spoolsv.exe 2896 spoolsv.exe 2896 spoolsv.exe 1560 spoolsv.exe 1560 spoolsv.exe 5224 spoolsv.exe 5224 spoolsv.exe 5264 spoolsv.exe 5264 spoolsv.exe 5780 spoolsv.exe 5780 spoolsv.exe 1000 spoolsv.exe 1000 spoolsv.exe 5572 spoolsv.exe 5572 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exea15c361900631755d1ffaa9562ca5884_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 5080 wrote to memory of 1632 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe splwow64.exe PID 5080 wrote to memory of 1632 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe splwow64.exe PID 5080 wrote to memory of 3488 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe PID 5080 wrote to memory of 3488 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe PID 5080 wrote to memory of 3488 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe PID 5080 wrote to memory of 3488 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe PID 5080 wrote to memory of 3488 5080 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe PID 3488 wrote to memory of 2468 3488 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe explorer.exe PID 3488 wrote to memory of 2468 3488 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe explorer.exe PID 3488 wrote to memory of 2468 3488 a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe explorer.exe PID 2468 wrote to memory of 1568 2468 explorer.exe explorer.exe PID 2468 wrote to memory of 1568 2468 explorer.exe explorer.exe PID 2468 wrote to memory of 1568 2468 explorer.exe explorer.exe PID 2468 wrote to memory of 1568 2468 explorer.exe explorer.exe PID 2468 wrote to memory of 1568 2468 explorer.exe explorer.exe PID 1568 wrote to memory of 2476 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 2476 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 2476 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3308 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3308 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3308 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 1756 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 1756 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 1756 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 2644 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 2644 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 2644 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3500 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3500 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3500 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4688 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4688 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4688 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4920 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4920 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4920 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 884 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 884 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 884 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4804 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4804 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4804 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3888 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3888 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 3888 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4456 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4456 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4456 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 404 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 404 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 404 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4488 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4488 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 4488 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 1544 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 1544 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 1544 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 436 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 436 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 436 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 5016 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 5016 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 5016 1568 explorer.exe spoolsv.exe PID 1568 wrote to memory of 324 1568 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a15c361900631755d1ffaa9562ca5884_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5612 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5668 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5212
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5320 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2168 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4804 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5128 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5404 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5892 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5528
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4116 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5416 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5424 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:6112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5508 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6056 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5984 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2680 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3448 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6116 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:564 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5436 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5864 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5876 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1560 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2908 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5264 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4604 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5780 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5700 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3880
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1000 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5572 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:5516 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1620
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4336
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1216 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5496
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2384 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4760
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4448 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2892
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5820 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1904
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1980 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5764
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:408
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:6044 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2844 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5884
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5308
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5176 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:2784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4028
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:6028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4408 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:588
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2516 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5196 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:81⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5ab0bfb9e6af243d642e9780e2f91a1cd
SHA19f7c530068eab0aae41225c0a972c01d77645ad0
SHA25628ccf8d7c11fe76d413489a1fb36d20cf760885e69bca6c98bd4af3ab29c0fc0
SHA51229121c5ef83266ff2104c82ee5666a26d2b0d129d4508da58a030dc0ae5b1e040fcd42e6f050dae2c3b47a9ac0b7aa784083aecd5e0a2e06f7867c1155a6731c
-
Filesize
2.2MB
MD5c7ed4264d1575f09071404ad40049fdb
SHA1436b0070ecde61db6c3e1e2270426f7cf21b735c
SHA256c9bf808e0ef08a689e12fb9f9b3cd41070a4a5992e1f0e8bedf06f399b5f88a2
SHA512728b5b3a3d7d809de2dc98cbf17491e213542785a62becc3fe77cd32066497ebf8d1d3b8d763ed35f7135b0b3649a091733a2a7e6475ce37a6a63b4f7a64c427