Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 16:15
Behavioral task
behavioral1
Sample
a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a149b7b14fe6bedff3ea81e8b95a6e60
-
SHA1
6146aa14ba2859fd8eff70d202b74cf4bc1df018
-
SHA256
d0582c52ab992b3a944e231d5476af30666ac8791ac00e4fe52c6feb4a34cecd
-
SHA512
000ea0f954b4f3f345751ac77cc0b57ac1eff7d7269fde253372679d7656a849375b60bfe8c3fb00c5e4f890dc4654799b47d3d34201bfa6d167e9c1cec46a37
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZx:0UzeyQMS4DqodCnoe+iitjWww9
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 1148 explorer.exe 2812 explorer.exe 3028 spoolsv.exe 4040 spoolsv.exe 1744 spoolsv.exe 3944 spoolsv.exe 4884 spoolsv.exe 4460 spoolsv.exe 4544 spoolsv.exe 4764 spoolsv.exe 3788 spoolsv.exe 3292 spoolsv.exe 3852 spoolsv.exe 4516 spoolsv.exe 760 spoolsv.exe 4472 spoolsv.exe 4400 spoolsv.exe 2568 spoolsv.exe 4968 spoolsv.exe 3520 spoolsv.exe 3888 spoolsv.exe 4588 spoolsv.exe 2824 spoolsv.exe 4348 spoolsv.exe 2708 spoolsv.exe 500 spoolsv.exe 684 spoolsv.exe 812 spoolsv.exe 3364 spoolsv.exe 652 spoolsv.exe 1508 spoolsv.exe 2580 spoolsv.exe 4632 spoolsv.exe 1308 spoolsv.exe 3824 spoolsv.exe 4004 spoolsv.exe 4356 spoolsv.exe 1220 spoolsv.exe 2968 explorer.exe 2604 spoolsv.exe 1716 spoolsv.exe 3220 spoolsv.exe 2644 spoolsv.exe 3100 spoolsv.exe 4976 spoolsv.exe 3876 spoolsv.exe 3544 spoolsv.exe 2624 spoolsv.exe 3500 spoolsv.exe 3596 spoolsv.exe 4112 explorer.exe 4932 spoolsv.exe 2972 spoolsv.exe 3140 spoolsv.exe 3356 spoolsv.exe 4344 spoolsv.exe 1680 spoolsv.exe 1488 spoolsv.exe 4188 spoolsv.exe 3260 spoolsv.exe 4308 spoolsv.exe 4744 spoolsv.exe 4280 explorer.exe 5040 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 49 IoCs
Processes:
a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 4364 set thread context of 2864 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe PID 1148 set thread context of 2812 1148 explorer.exe explorer.exe PID 3028 set thread context of 1220 3028 spoolsv.exe spoolsv.exe PID 4040 set thread context of 2604 4040 spoolsv.exe spoolsv.exe PID 1744 set thread context of 3220 1744 spoolsv.exe spoolsv.exe PID 3944 set thread context of 2644 3944 spoolsv.exe spoolsv.exe PID 4884 set thread context of 3100 4884 spoolsv.exe spoolsv.exe PID 4460 set thread context of 4976 4460 spoolsv.exe spoolsv.exe PID 4544 set thread context of 3876 4544 spoolsv.exe spoolsv.exe PID 4764 set thread context of 3544 4764 spoolsv.exe spoolsv.exe PID 3788 set thread context of 2624 3788 spoolsv.exe spoolsv.exe PID 3292 set thread context of 3500 3292 spoolsv.exe spoolsv.exe PID 3852 set thread context of 3596 3852 spoolsv.exe spoolsv.exe PID 4516 set thread context of 4932 4516 spoolsv.exe spoolsv.exe PID 760 set thread context of 2972 760 spoolsv.exe spoolsv.exe PID 4472 set thread context of 3140 4472 spoolsv.exe spoolsv.exe PID 4400 set thread context of 4344 4400 spoolsv.exe spoolsv.exe PID 2568 set thread context of 1680 2568 spoolsv.exe spoolsv.exe PID 4968 set thread context of 1488 4968 spoolsv.exe spoolsv.exe PID 3520 set thread context of 4188 3520 spoolsv.exe spoolsv.exe PID 3888 set thread context of 3260 3888 spoolsv.exe spoolsv.exe PID 4588 set thread context of 4308 4588 spoolsv.exe spoolsv.exe PID 2824 set thread context of 4744 2824 spoolsv.exe spoolsv.exe PID 4348 set thread context of 5040 4348 spoolsv.exe spoolsv.exe PID 2708 set thread context of 4068 2708 spoolsv.exe spoolsv.exe PID 500 set thread context of 2232 500 spoolsv.exe spoolsv.exe PID 684 set thread context of 948 684 spoolsv.exe spoolsv.exe PID 812 set thread context of 792 812 spoolsv.exe spoolsv.exe PID 3364 set thread context of 220 3364 spoolsv.exe spoolsv.exe PID 652 set thread context of 4440 652 spoolsv.exe spoolsv.exe PID 1508 set thread context of 2248 1508 spoolsv.exe spoolsv.exe PID 2580 set thread context of 4800 2580 spoolsv.exe spoolsv.exe PID 4632 set thread context of 4680 4632 spoolsv.exe spoolsv.exe PID 1308 set thread context of 1564 1308 spoolsv.exe spoolsv.exe PID 3824 set thread context of 4128 3824 spoolsv.exe spoolsv.exe PID 4004 set thread context of 3056 4004 spoolsv.exe spoolsv.exe PID 4356 set thread context of 3340 4356 spoolsv.exe spoolsv.exe PID 2968 set thread context of 4552 2968 explorer.exe explorer.exe PID 1716 set thread context of 2484 1716 spoolsv.exe spoolsv.exe PID 4112 set thread context of 3484 4112 explorer.exe explorer.exe PID 3356 set thread context of 4080 3356 spoolsv.exe spoolsv.exe PID 4280 set thread context of 4760 4280 explorer.exe explorer.exe PID 1652 set thread context of 4436 1652 spoolsv.exe spoolsv.exe PID 1160 set thread context of 3516 1160 explorer.exe explorer.exe PID 1216 set thread context of 4260 1216 spoolsv.exe spoolsv.exe PID 1140 set thread context of 1940 1140 spoolsv.exe spoolsv.exe PID 2288 set thread context of 3636 2288 spoolsv.exe spoolsv.exe PID 2240 set thread context of 4052 2240 explorer.exe explorer.exe PID 2688 set thread context of 1768 2688 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exespoolsv.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exeexplorer.exepid process 2864 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe 2864 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2812 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2864 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe 2864 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 1220 spoolsv.exe 1220 spoolsv.exe 2604 spoolsv.exe 2604 spoolsv.exe 3220 spoolsv.exe 3220 spoolsv.exe 2644 spoolsv.exe 2644 spoolsv.exe 3100 spoolsv.exe 3100 spoolsv.exe 4976 spoolsv.exe 4976 spoolsv.exe 3876 spoolsv.exe 3876 spoolsv.exe 3544 spoolsv.exe 3544 spoolsv.exe 2624 spoolsv.exe 2624 spoolsv.exe 3500 spoolsv.exe 3500 spoolsv.exe 3596 spoolsv.exe 3596 spoolsv.exe 4932 spoolsv.exe 4932 spoolsv.exe 2972 spoolsv.exe 2972 spoolsv.exe 3140 spoolsv.exe 3140 spoolsv.exe 4344 spoolsv.exe 4344 spoolsv.exe 1680 spoolsv.exe 1680 spoolsv.exe 1488 spoolsv.exe 1488 spoolsv.exe 4188 spoolsv.exe 4188 spoolsv.exe 3260 spoolsv.exe 3260 spoolsv.exe 4308 spoolsv.exe 4308 spoolsv.exe 4744 spoolsv.exe 4744 spoolsv.exe 5040 spoolsv.exe 5040 spoolsv.exe 4068 spoolsv.exe 4068 spoolsv.exe 2232 spoolsv.exe 2232 spoolsv.exe 948 spoolsv.exe 948 spoolsv.exe 792 spoolsv.exe 792 spoolsv.exe 220 spoolsv.exe 220 spoolsv.exe 4440 spoolsv.exe 4440 spoolsv.exe 2248 spoolsv.exe 2248 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exea149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4364 wrote to memory of 2600 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe splwow64.exe PID 4364 wrote to memory of 2600 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe splwow64.exe PID 4364 wrote to memory of 2864 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe PID 4364 wrote to memory of 2864 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe PID 4364 wrote to memory of 2864 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe PID 4364 wrote to memory of 2864 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe PID 4364 wrote to memory of 2864 4364 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe PID 2864 wrote to memory of 1148 2864 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe explorer.exe PID 2864 wrote to memory of 1148 2864 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe explorer.exe PID 2864 wrote to memory of 1148 2864 a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe explorer.exe PID 1148 wrote to memory of 2812 1148 explorer.exe explorer.exe PID 1148 wrote to memory of 2812 1148 explorer.exe explorer.exe PID 1148 wrote to memory of 2812 1148 explorer.exe explorer.exe PID 1148 wrote to memory of 2812 1148 explorer.exe explorer.exe PID 1148 wrote to memory of 2812 1148 explorer.exe explorer.exe PID 2812 wrote to memory of 3028 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3028 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3028 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4040 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4040 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4040 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 1744 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 1744 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 1744 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3944 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3944 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3944 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4884 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4884 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4884 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4460 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4460 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4460 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4544 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4544 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4544 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4764 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4764 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4764 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3788 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3788 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3788 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3292 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3292 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3292 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3852 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3852 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 3852 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4516 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4516 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4516 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 760 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 760 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 760 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4472 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4472 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4472 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4400 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4400 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4400 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 2568 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 2568 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 2568 2812 explorer.exe spoolsv.exe PID 2812 wrote to memory of 4968 2812 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a149b7b14fe6bedff3ea81e8b95a6e60_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1220 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2968 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1744 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2644 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4884 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3100 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4460 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4976 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3788 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3852 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4112 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4932 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3520 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4188 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3260 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4308 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4744 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4280 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4348 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2708 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2232 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4440 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:1160 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1508 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2248 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2580 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3056
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3340
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2240 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4052
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2484
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2632 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1348
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4080
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4184 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1652 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4436
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4260
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4924
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2288 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3636
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4784
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2192
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5084
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2620
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4340 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5000
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2648
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1612
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2008 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4468 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1396 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3244
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2668 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2572 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5256c28662ded9b51c487c5bb5c6a6b65
SHA10247479106b5c9afc18193e36551bfa6248f61b2
SHA256d84d3b5b3b4e9dfd9ad6e9c6bd04f0aedce1f57e20a3cefa8b84c8e9cef6e17b
SHA512e3d66b98678da6e2f1276dbfa67d6289d781d9683ca73f5de8e1006e0d9c38379830a25062e78c0165ff5828c178dfe6f6625474ef553ab008bce8ffc3b4fd27
-
Filesize
2.2MB
MD5d4953b99f4191dc026264b3f0d49bb76
SHA163e328be76e7bdf4eef7d0807782522611594801
SHA256c8662ff7814bda499c0cc78afb74d36f6c3f3397be920735ceeee359902e462c
SHA512bd3e84f668e54aea581cd34b8ffbad01c2f8ec166175f7f1a49e6e729cb81422235df8b3f8a468d10970e5dac7e0a762f0f8e875dc781e43fc5eaf3a65c6ccbd