Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 16:18
Behavioral task
behavioral1
Sample
a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a14c5aa487f78dcca3b140ccf6ed2fb7
-
SHA1
970ca829f89ca95cf0cd393c8ae6398992fddded
-
SHA256
1b7bae747b9023ffd6065ab326fd2dfc8c1f411527323f85910572aa4587478b
-
SHA512
323437f7a24b4316c1c40d2ec4dadbf80c1cd652b4ff8265af6ec12346543b16b87c48925b5a5ad55d42b69a3195f56b626aac27af66ca8fbc77b23670fe0b04
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZr:0UzeyQMS4DqodCnoe+iitjWwwv
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 2308 explorer.exe 1536 explorer.exe 4540 spoolsv.exe 2960 spoolsv.exe 3596 spoolsv.exe 2112 spoolsv.exe 4964 spoolsv.exe 1924 spoolsv.exe 3088 spoolsv.exe 4168 spoolsv.exe 2480 spoolsv.exe 1664 spoolsv.exe 1340 spoolsv.exe 3900 spoolsv.exe 2416 spoolsv.exe 1724 spoolsv.exe 3480 spoolsv.exe 3360 spoolsv.exe 4932 spoolsv.exe 4576 spoolsv.exe 2456 spoolsv.exe 4728 spoolsv.exe 5104 spoolsv.exe 4980 spoolsv.exe 3988 spoolsv.exe 1756 spoolsv.exe 4384 spoolsv.exe 764 spoolsv.exe 3244 spoolsv.exe 3564 spoolsv.exe 3664 spoolsv.exe 4352 spoolsv.exe 1928 spoolsv.exe 2004 explorer.exe 3420 spoolsv.exe 408 spoolsv.exe 2752 spoolsv.exe 3924 spoolsv.exe 3920 spoolsv.exe 712 spoolsv.exe 4696 explorer.exe 4340 spoolsv.exe 2608 spoolsv.exe 980 spoolsv.exe 2284 spoolsv.exe 912 spoolsv.exe 1956 spoolsv.exe 4244 spoolsv.exe 5088 explorer.exe 1232 spoolsv.exe 2132 spoolsv.exe 3516 spoolsv.exe 1180 spoolsv.exe 2192 spoolsv.exe 3960 spoolsv.exe 488 explorer.exe 3228 spoolsv.exe 3504 spoolsv.exe 776 spoolsv.exe 2968 spoolsv.exe 1148 spoolsv.exe 3692 spoolsv.exe 1224 explorer.exe 840 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 53 IoCs
Processes:
a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription pid process target process PID 1804 set thread context of 2260 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe PID 2308 set thread context of 1536 2308 explorer.exe explorer.exe PID 4540 set thread context of 1928 4540 spoolsv.exe spoolsv.exe PID 2960 set thread context of 3420 2960 spoolsv.exe spoolsv.exe PID 3596 set thread context of 408 3596 spoolsv.exe spoolsv.exe PID 2112 set thread context of 2752 2112 spoolsv.exe spoolsv.exe PID 4964 set thread context of 3920 4964 spoolsv.exe spoolsv.exe PID 1924 set thread context of 712 1924 spoolsv.exe spoolsv.exe PID 3088 set thread context of 4340 3088 spoolsv.exe spoolsv.exe PID 4168 set thread context of 2608 4168 spoolsv.exe spoolsv.exe PID 2480 set thread context of 980 2480 spoolsv.exe spoolsv.exe PID 1664 set thread context of 912 1664 spoolsv.exe spoolsv.exe PID 1340 set thread context of 1956 1340 spoolsv.exe spoolsv.exe PID 3900 set thread context of 4244 3900 spoolsv.exe spoolsv.exe PID 2416 set thread context of 1232 2416 spoolsv.exe spoolsv.exe PID 1724 set thread context of 3516 1724 spoolsv.exe spoolsv.exe PID 3480 set thread context of 1180 3480 spoolsv.exe spoolsv.exe PID 3360 set thread context of 2192 3360 spoolsv.exe spoolsv.exe PID 4932 set thread context of 3960 4932 spoolsv.exe spoolsv.exe PID 4576 set thread context of 3228 4576 spoolsv.exe spoolsv.exe PID 2456 set thread context of 776 2456 spoolsv.exe spoolsv.exe PID 4728 set thread context of 2968 4728 spoolsv.exe spoolsv.exe PID 5104 set thread context of 1148 5104 spoolsv.exe spoolsv.exe PID 4980 set thread context of 3692 4980 spoolsv.exe spoolsv.exe PID 3988 set thread context of 4284 3988 spoolsv.exe spoolsv.exe PID 1756 set thread context of 3520 1756 spoolsv.exe spoolsv.exe PID 4384 set thread context of 4784 4384 spoolsv.exe spoolsv.exe PID 764 set thread context of 1372 764 spoolsv.exe spoolsv.exe PID 3244 set thread context of 4872 3244 spoolsv.exe spoolsv.exe PID 3564 set thread context of 3652 3564 spoolsv.exe spoolsv.exe PID 3664 set thread context of 4900 3664 spoolsv.exe spoolsv.exe PID 4352 set thread context of 4380 4352 spoolsv.exe spoolsv.exe PID 2004 set thread context of 4236 2004 explorer.exe explorer.exe PID 3924 set thread context of 4296 3924 spoolsv.exe spoolsv.exe PID 4696 set thread context of 1360 4696 explorer.exe explorer.exe PID 2284 set thread context of 3492 2284 spoolsv.exe spoolsv.exe PID 5088 set thread context of 2876 5088 explorer.exe explorer.exe PID 2132 set thread context of 3100 2132 spoolsv.exe spoolsv.exe PID 488 set thread context of 2128 488 explorer.exe explorer.exe PID 3504 set thread context of 5020 3504 spoolsv.exe spoolsv.exe PID 1224 set thread context of 3208 1224 explorer.exe explorer.exe PID 840 set thread context of 4608 840 spoolsv.exe spoolsv.exe PID 1804 set thread context of 1368 1804 explorer.exe explorer.exe PID 4764 set thread context of 4740 4764 spoolsv.exe spoolsv.exe PID 4732 set thread context of 2580 4732 spoolsv.exe spoolsv.exe PID 492 set thread context of 4836 492 spoolsv.exe spoolsv.exe PID 2988 set thread context of 1116 2988 spoolsv.exe spoolsv.exe PID 4316 set thread context of 2068 4316 explorer.exe explorer.exe PID 2644 set thread context of 4008 2644 spoolsv.exe spoolsv.exe PID 4772 set thread context of 2368 4772 spoolsv.exe spoolsv.exe PID 3528 set thread context of 1828 3528 spoolsv.exe spoolsv.exe PID 896 set thread context of 1648 896 spoolsv.exe spoolsv.exe PID 1888 set thread context of 180 1888 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exea14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exea14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exeexplorer.exepid process 2260 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe 2260 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1536 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2260 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe 2260 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1536 explorer.exe 1928 spoolsv.exe 1928 spoolsv.exe 3420 spoolsv.exe 3420 spoolsv.exe 408 spoolsv.exe 408 spoolsv.exe 2752 spoolsv.exe 2752 spoolsv.exe 3920 spoolsv.exe 3920 spoolsv.exe 712 spoolsv.exe 712 spoolsv.exe 4340 spoolsv.exe 4340 spoolsv.exe 2608 spoolsv.exe 2608 spoolsv.exe 980 spoolsv.exe 980 spoolsv.exe 912 spoolsv.exe 912 spoolsv.exe 1956 spoolsv.exe 1956 spoolsv.exe 4244 spoolsv.exe 4244 spoolsv.exe 1232 spoolsv.exe 1232 spoolsv.exe 3516 spoolsv.exe 3516 spoolsv.exe 1180 spoolsv.exe 1180 spoolsv.exe 2192 spoolsv.exe 2192 spoolsv.exe 3960 spoolsv.exe 3960 spoolsv.exe 3228 spoolsv.exe 3228 spoolsv.exe 776 spoolsv.exe 776 spoolsv.exe 2968 spoolsv.exe 2968 spoolsv.exe 1148 spoolsv.exe 1148 spoolsv.exe 3692 spoolsv.exe 3692 spoolsv.exe 4284 spoolsv.exe 4284 spoolsv.exe 3520 spoolsv.exe 3520 spoolsv.exe 4784 spoolsv.exe 4784 spoolsv.exe 1372 spoolsv.exe 1372 spoolsv.exe 4872 spoolsv.exe 4872 spoolsv.exe 3652 spoolsv.exe 3652 spoolsv.exe 4900 spoolsv.exe 4900 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exea14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1804 wrote to memory of 2696 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe splwow64.exe PID 1804 wrote to memory of 2696 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe splwow64.exe PID 1804 wrote to memory of 2260 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe PID 1804 wrote to memory of 2260 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe PID 1804 wrote to memory of 2260 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe PID 1804 wrote to memory of 2260 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe PID 1804 wrote to memory of 2260 1804 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe PID 2260 wrote to memory of 2308 2260 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe explorer.exe PID 2260 wrote to memory of 2308 2260 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe explorer.exe PID 2260 wrote to memory of 2308 2260 a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe explorer.exe PID 2308 wrote to memory of 1536 2308 explorer.exe explorer.exe PID 2308 wrote to memory of 1536 2308 explorer.exe explorer.exe PID 2308 wrote to memory of 1536 2308 explorer.exe explorer.exe PID 2308 wrote to memory of 1536 2308 explorer.exe explorer.exe PID 2308 wrote to memory of 1536 2308 explorer.exe explorer.exe PID 1536 wrote to memory of 4540 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4540 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4540 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2960 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2960 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2960 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3596 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3596 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3596 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2112 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2112 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2112 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4964 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4964 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4964 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1924 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1924 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1924 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3088 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3088 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3088 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4168 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4168 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4168 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2480 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2480 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2480 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1664 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1664 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1664 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1340 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1340 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1340 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3900 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3900 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3900 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2416 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2416 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 2416 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1724 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1724 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 1724 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3480 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3480 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3480 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3360 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3360 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 3360 1536 explorer.exe spoolsv.exe PID 1536 wrote to memory of 4932 1536 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a14c5aa487f78dcca3b140ccf6ed2fb7_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2004 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3420 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:408 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2112 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4964 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:712 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4696 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4168 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:980 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1340 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3900 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4244 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5088 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2416 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1232 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1724 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3516 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3360 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3960 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:488 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2968 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5104 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3692 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1224 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3208
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4284 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3520 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4784 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4872 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1804 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1368
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3564 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4380
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4316 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2068
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4296
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1888 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3492
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2132 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3100
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2100 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5020
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4608
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2144 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4740
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4916
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4836
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4008
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:792
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2368
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4336 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1772
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4792
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4532 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2660 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1088 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1936 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4616
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2320
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD511fc3e671742e95d519e0ff0c5fe05cb
SHA1096a0057aebe0d5a28daf6378a46bea83042c966
SHA256a7031fb9ce301a7533fd64c17e1cca4a508f536f1a20ad4565d8ff689ab6f4c3
SHA5121198ed0492fc1c60eb10aa2dad0588589c33c515582e95738295645afc7d285856b8ff61ce4c60e425807a8eae9a07380630a39a26082b93c56299c53836bdc3
-
Filesize
2.2MB
MD5f1cdfb2499624e03ec2e5bf1ac178d76
SHA1a238b20c895dfbe354f8880f2ec76164406967a2
SHA25604071829233286e073c392aec893d6c37fdf5e6b187fabd44be4e18d642d1fa9
SHA512d7aeaa63f4fa28352e1cc94a9934facd33cc82f09776579cd7af8be534689412dd0f772208520f0029407c875164435dbb6dfb33b131193f4b6858251379332f