Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 16:27
Behavioral task
behavioral1
Sample
a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a1544c2fb91d154f7fca051fe7cf7870
-
SHA1
b7023440bc80435846fe6990412701caa8e89afa
-
SHA256
7aa5623b65ac4990f81ed71a70cf64c1953eba43bd0a7f278c87915892c63dd2
-
SHA512
a45ab2b032c7ca7c15472f7a074b3140ea0b019b10f4650e43618f0d48cc2d31dd48df3d4a8679c32a31bc3817a6a247917b52339c841fe750138fc8d599a4d1
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZJ:0UzeyQMS4DqodCnoe+iitjWww9
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 940 explorer.exe 3840 explorer.exe 3900 spoolsv.exe 3868 spoolsv.exe 3252 spoolsv.exe 1332 spoolsv.exe 3244 spoolsv.exe 2624 spoolsv.exe 3544 spoolsv.exe 3140 spoolsv.exe 1568 spoolsv.exe 1128 spoolsv.exe 4740 spoolsv.exe 444 spoolsv.exe 4648 spoolsv.exe 1304 spoolsv.exe 2340 spoolsv.exe 2020 spoolsv.exe 4316 spoolsv.exe 4456 spoolsv.exe 4296 spoolsv.exe 1692 spoolsv.exe 3732 spoolsv.exe 4084 spoolsv.exe 3932 spoolsv.exe 396 spoolsv.exe 5040 spoolsv.exe 864 spoolsv.exe 8 spoolsv.exe 4132 spoolsv.exe 4092 spoolsv.exe 4396 spoolsv.exe 3332 spoolsv.exe 1352 spoolsv.exe 808 spoolsv.exe 924 spoolsv.exe 2148 spoolsv.exe 4940 explorer.exe 372 spoolsv.exe 1628 spoolsv.exe 4016 spoolsv.exe 680 spoolsv.exe 3380 spoolsv.exe 1072 spoolsv.exe 2312 spoolsv.exe 3344 spoolsv.exe 3500 spoolsv.exe 1172 explorer.exe 4764 spoolsv.exe 4708 spoolsv.exe 3224 spoolsv.exe 1368 spoolsv.exe 3568 spoolsv.exe 3488 spoolsv.exe 2968 spoolsv.exe 3784 spoolsv.exe 2368 spoolsv.exe 3596 spoolsv.exe 4184 explorer.exe 3136 spoolsv.exe 1756 spoolsv.exe 4468 spoolsv.exe 916 spoolsv.exe 4288 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 59 IoCs
Processes:
a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 3104 set thread context of 2752 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe PID 940 set thread context of 3840 940 explorer.exe explorer.exe PID 3900 set thread context of 2148 3900 spoolsv.exe spoolsv.exe PID 3868 set thread context of 372 3868 spoolsv.exe spoolsv.exe PID 3252 set thread context of 1628 3252 spoolsv.exe spoolsv.exe PID 1332 set thread context of 680 1332 spoolsv.exe spoolsv.exe PID 3244 set thread context of 3380 3244 spoolsv.exe spoolsv.exe PID 2624 set thread context of 1072 2624 spoolsv.exe spoolsv.exe PID 3544 set thread context of 2312 3544 spoolsv.exe spoolsv.exe PID 3140 set thread context of 3344 3140 spoolsv.exe spoolsv.exe PID 1568 set thread context of 3500 1568 spoolsv.exe spoolsv.exe PID 1128 set thread context of 4708 1128 spoolsv.exe spoolsv.exe PID 4740 set thread context of 3224 4740 spoolsv.exe spoolsv.exe PID 444 set thread context of 1368 444 spoolsv.exe spoolsv.exe PID 4648 set thread context of 3568 4648 spoolsv.exe spoolsv.exe PID 1304 set thread context of 3488 1304 spoolsv.exe spoolsv.exe PID 2340 set thread context of 2968 2340 spoolsv.exe spoolsv.exe PID 2020 set thread context of 2368 2020 spoolsv.exe spoolsv.exe PID 4316 set thread context of 3596 4316 spoolsv.exe spoolsv.exe PID 4456 set thread context of 3136 4456 spoolsv.exe spoolsv.exe PID 4296 set thread context of 1756 4296 spoolsv.exe spoolsv.exe PID 1692 set thread context of 4468 1692 spoolsv.exe spoolsv.exe PID 3732 set thread context of 916 3732 spoolsv.exe spoolsv.exe PID 4084 set thread context of 4288 4084 spoolsv.exe spoolsv.exe PID 3932 set thread context of 4856 3932 spoolsv.exe spoolsv.exe PID 396 set thread context of 5116 396 spoolsv.exe spoolsv.exe PID 5040 set thread context of 2476 5040 spoolsv.exe spoolsv.exe PID 864 set thread context of 4964 864 spoolsv.exe spoolsv.exe PID 8 set thread context of 1192 8 spoolsv.exe spoolsv.exe PID 4132 set thread context of 3208 4132 spoolsv.exe spoolsv.exe PID 4092 set thread context of 1856 4092 spoolsv.exe spoolsv.exe PID 4396 set thread context of 4440 4396 spoolsv.exe spoolsv.exe PID 3332 set thread context of 1832 3332 spoolsv.exe spoolsv.exe PID 1352 set thread context of 1300 1352 spoolsv.exe spoolsv.exe PID 808 set thread context of 4772 808 spoolsv.exe spoolsv.exe PID 924 set thread context of 4792 924 spoolsv.exe spoolsv.exe PID 4940 set thread context of 4476 4940 explorer.exe explorer.exe PID 4016 set thread context of 3908 4016 spoolsv.exe spoolsv.exe PID 4764 set thread context of 4808 4764 spoolsv.exe spoolsv.exe PID 1172 set thread context of 3192 1172 explorer.exe explorer.exe PID 3784 set thread context of 1796 3784 spoolsv.exe spoolsv.exe PID 4184 set thread context of 3860 4184 explorer.exe explorer.exe PID 2380 set thread context of 5008 2380 spoolsv.exe spoolsv.exe PID 4360 set thread context of 3236 4360 explorer.exe explorer.exe PID 3684 set thread context of 1516 3684 spoolsv.exe spoolsv.exe PID 628 set thread context of 3440 628 explorer.exe explorer.exe PID 936 set thread context of 3780 936 spoolsv.exe spoolsv.exe PID 2224 set thread context of 4988 2224 explorer.exe explorer.exe PID 2776 set thread context of 4444 2776 spoolsv.exe spoolsv.exe PID 1616 set thread context of 4828 1616 spoolsv.exe spoolsv.exe PID 1424 set thread context of 1124 1424 spoolsv.exe spoolsv.exe PID 4864 set thread context of 4592 4864 explorer.exe explorer.exe PID 1688 set thread context of 1468 1688 spoolsv.exe spoolsv.exe PID 1828 set thread context of 4228 1828 spoolsv.exe spoolsv.exe PID 4292 set thread context of 2008 4292 spoolsv.exe spoolsv.exe PID 3036 set thread context of 5080 3036 spoolsv.exe spoolsv.exe PID 436 set thread context of 788 436 explorer.exe explorer.exe PID 1624 set thread context of 2472 1624 spoolsv.exe spoolsv.exe PID 2656 set thread context of 4912 2656 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exeexplorer.exepid process 2752 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe 2752 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3840 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2752 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe 2752 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 2148 spoolsv.exe 2148 spoolsv.exe 372 spoolsv.exe 372 spoolsv.exe 1628 spoolsv.exe 1628 spoolsv.exe 680 spoolsv.exe 680 spoolsv.exe 3380 spoolsv.exe 3380 spoolsv.exe 1072 spoolsv.exe 1072 spoolsv.exe 2312 spoolsv.exe 2312 spoolsv.exe 3344 spoolsv.exe 3344 spoolsv.exe 3500 spoolsv.exe 3500 spoolsv.exe 4708 spoolsv.exe 4708 spoolsv.exe 3224 spoolsv.exe 3224 spoolsv.exe 1368 spoolsv.exe 1368 spoolsv.exe 3568 spoolsv.exe 3568 spoolsv.exe 3488 spoolsv.exe 3488 spoolsv.exe 2968 spoolsv.exe 2968 spoolsv.exe 2368 spoolsv.exe 2368 spoolsv.exe 3596 spoolsv.exe 3596 spoolsv.exe 3136 spoolsv.exe 3136 spoolsv.exe 1756 spoolsv.exe 1756 spoolsv.exe 4468 spoolsv.exe 4468 spoolsv.exe 916 spoolsv.exe 916 spoolsv.exe 4288 spoolsv.exe 4288 spoolsv.exe 4856 spoolsv.exe 4856 spoolsv.exe 5116 spoolsv.exe 5116 spoolsv.exe 2476 spoolsv.exe 2476 spoolsv.exe 4964 spoolsv.exe 4964 spoolsv.exe 1192 spoolsv.exe 1192 spoolsv.exe 3208 spoolsv.exe 3208 spoolsv.exe 1856 spoolsv.exe 1856 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exea1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 3104 wrote to memory of 1948 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe splwow64.exe PID 3104 wrote to memory of 1948 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe splwow64.exe PID 3104 wrote to memory of 2752 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe PID 3104 wrote to memory of 2752 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe PID 3104 wrote to memory of 2752 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe PID 3104 wrote to memory of 2752 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe PID 3104 wrote to memory of 2752 3104 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe PID 2752 wrote to memory of 940 2752 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe explorer.exe PID 2752 wrote to memory of 940 2752 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe explorer.exe PID 2752 wrote to memory of 940 2752 a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe explorer.exe PID 940 wrote to memory of 3840 940 explorer.exe explorer.exe PID 940 wrote to memory of 3840 940 explorer.exe explorer.exe PID 940 wrote to memory of 3840 940 explorer.exe explorer.exe PID 940 wrote to memory of 3840 940 explorer.exe explorer.exe PID 940 wrote to memory of 3840 940 explorer.exe explorer.exe PID 3840 wrote to memory of 3900 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3900 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3900 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3868 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3868 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3868 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3252 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3252 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3252 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1332 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1332 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1332 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3244 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3244 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3244 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2624 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2624 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2624 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3544 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3544 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3544 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3140 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3140 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 3140 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1568 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1568 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1568 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1128 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1128 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1128 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 4740 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 4740 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 4740 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 444 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 444 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 444 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 4648 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 4648 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 4648 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1304 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1304 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 1304 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2340 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2340 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2340 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2020 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2020 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 2020 3840 explorer.exe spoolsv.exe PID 3840 wrote to memory of 4316 3840 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1544c2fb91d154f7fca051fe7cf7870_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3900 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4940 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4476
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3868 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3252 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3380 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1072 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3140 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1172 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1128 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2340 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2968 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4184 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3136 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1692 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4468 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5116 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4360 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2476 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4964 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:8 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4132 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3208 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:628 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4772
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:2224 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4792
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4864 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3908
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:436 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4808
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:532 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3784 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1796
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5008
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3088 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1516
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:2776 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4444
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1124
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1828 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4228
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2008
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5080
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4912
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4372
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3560 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3096 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3564 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3264 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:940 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5096
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4816
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD524ae026aa7d06245624c326303935a6a
SHA14c3a2ef1fb18e947e58faa3bc7c996b8ef8fe498
SHA256663de1261eb6a3f7fbe8972d7dbc9887246c7c73de8e7ad6d241e90179219a5f
SHA5122b8fb5bff398aca4571804dc66766a774d6eb340d560f842d604afee360ab8203e329d66d2f2f9a12eb15718cba88944c721e598745f23fdd308437999d1b2ac
-
Filesize
2.2MB
MD520c58cc6b3342c9b0f81875e6adcc17c
SHA195f4f95725ee1e973cf2c029508235812236db6e
SHA25665e16ba8d5d9c49aa2561e4211bff7d7b1b32cb2bf38915f6d7fa3e8ea0caf35
SHA5126d20e3a8361060748c0cba55390917555f5036edff07976d83997fabcfcbbe41545391d4c85b84050dcf7065962faa4240bad5014cb8fe6c7f57166b5ad7ebf4