Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 07:47
Behavioral task
behavioral1
Sample
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8976302e11e9f4a69ceb2d5df1a09dc
-
SHA1
05dab2caf1f696bd7adfd3a0e2b8ba03530d8e22
-
SHA256
be017f3334ba46b541a51c408498e36451c0a50bcf6029fd1bb36395790663e7
-
SHA512
76c8f091026a2f24020913805df6559b0a9354ec68fc6bbbe636bdca1d901005acc004a1129730e0681f6bd363ea079b6bb7c47a27d6c4fc4c59958cd022f7e5
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZK:0UzeyQMS4DqodCnoe+iitjWwwO
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2580 explorer.exe 2172 explorer.exe 1656 spoolsv.exe 1592 spoolsv.exe 1064 spoolsv.exe 448 spoolsv.exe 2080 spoolsv.exe 1728 spoolsv.exe 1956 spoolsv.exe 2492 spoolsv.exe 2700 spoolsv.exe 1616 spoolsv.exe 2044 spoolsv.exe 1196 spoolsv.exe 2148 spoolsv.exe 340 spoolsv.exe 2068 spoolsv.exe 2380 spoolsv.exe 2460 spoolsv.exe 2644 spoolsv.exe 768 spoolsv.exe 2240 spoolsv.exe 2332 spoolsv.exe 1448 spoolsv.exe 2432 spoolsv.exe 3068 spoolsv.exe 1020 spoolsv.exe 1352 spoolsv.exe 2328 spoolsv.exe 904 spoolsv.exe 828 spoolsv.exe 2908 spoolsv.exe 1692 spoolsv.exe 2776 spoolsv.exe 1176 spoolsv.exe 824 spoolsv.exe 800 spoolsv.exe 2232 spoolsv.exe 2656 spoolsv.exe 2364 spoolsv.exe 1396 spoolsv.exe 1232 spoolsv.exe 556 spoolsv.exe 2496 spoolsv.exe 1576 spoolsv.exe 1560 spoolsv.exe 1892 spoolsv.exe 2724 spoolsv.exe 1204 spoolsv.exe 2832 spoolsv.exe 2376 spoolsv.exe 2680 spoolsv.exe 608 spoolsv.exe 2824 spoolsv.exe 396 spoolsv.exe 2956 spoolsv.exe 2972 spoolsv.exe 1604 spoolsv.exe 2624 spoolsv.exe 2880 spoolsv.exe 2152 spoolsv.exe 532 spoolsv.exe 2872 spoolsv.exe 2200 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exepid process 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 1832 set thread context of 2684 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 2580 set thread context of 2172 2580 explorer.exe explorer.exe PID 1656 set thread context of 4452 1656 spoolsv.exe spoolsv.exe PID 1592 set thread context of 4592 1592 spoolsv.exe spoolsv.exe PID 1064 set thread context of 4528 1064 spoolsv.exe spoolsv.exe PID 448 set thread context of 4648 448 spoolsv.exe spoolsv.exe PID 2080 set thread context of 5760 2080 spoolsv.exe spoolsv.exe PID 2492 set thread context of 7088 2492 spoolsv.exe spoolsv.exe PID 1956 set thread context of 7140 1956 spoolsv.exe spoolsv.exe PID 2700 set thread context of 7132 2700 spoolsv.exe spoolsv.exe PID 1616 set thread context of 5972 1616 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exepid process 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2172 explorer.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 2172 explorer.exe 4452 spoolsv.exe 4452 spoolsv.exe 4592 spoolsv.exe 4592 spoolsv.exe 4528 spoolsv.exe 4528 spoolsv.exe 4648 spoolsv.exe 4648 spoolsv.exe 5760 spoolsv.exe 5760 spoolsv.exe 6564 spoolsv.exe 6564 spoolsv.exe 7088 spoolsv.exe 7088 spoolsv.exe 7140 spoolsv.exe 7140 spoolsv.exe 7132 spoolsv.exe 7132 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exea8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1832 wrote to memory of 2744 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe splwow64.exe PID 1832 wrote to memory of 2744 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe splwow64.exe PID 1832 wrote to memory of 2744 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe splwow64.exe PID 1832 wrote to memory of 2744 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe splwow64.exe PID 1832 wrote to memory of 2684 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 1832 wrote to memory of 2684 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 1832 wrote to memory of 2684 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 1832 wrote to memory of 2684 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 1832 wrote to memory of 2684 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 1832 wrote to memory of 2684 1832 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 2684 wrote to memory of 2580 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe explorer.exe PID 2684 wrote to memory of 2580 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe explorer.exe PID 2684 wrote to memory of 2580 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe explorer.exe PID 2684 wrote to memory of 2580 2684 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe explorer.exe PID 2580 wrote to memory of 2172 2580 explorer.exe explorer.exe PID 2580 wrote to memory of 2172 2580 explorer.exe explorer.exe PID 2580 wrote to memory of 2172 2580 explorer.exe explorer.exe PID 2580 wrote to memory of 2172 2580 explorer.exe explorer.exe PID 2580 wrote to memory of 2172 2580 explorer.exe explorer.exe PID 2580 wrote to memory of 2172 2580 explorer.exe explorer.exe PID 2172 wrote to memory of 1656 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1656 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1656 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1656 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1592 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1592 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1592 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1592 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1064 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1064 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1064 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1064 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 448 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 448 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 448 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 448 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2080 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2080 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2080 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2080 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1728 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1728 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1728 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1728 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1956 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1956 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1956 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1956 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2492 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2492 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2492 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2492 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2700 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2700 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2700 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2700 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1616 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1616 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1616 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 1616 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2044 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2044 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2044 2172 explorer.exe spoolsv.exe PID 2172 wrote to memory of 2044 2172 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\system\explorer.exeFilesize
2.2MB
MD5846863831fd0969433db4f99e69eac6b
SHA1f37622ba307dcc1fa2cb78c67269d543fa6c3b55
SHA25651064899de776ab2db959b1610f12b5bff7ef6a6ca557e931fd80a9087866952
SHA512dfb62450d4ba3e6eadf47fb19c898253d19187589a2d2584bfa034c611d512d4e6ccb3510464545b0f9d60dea9afe024123eaf88024a15eaad6e2177bb0819e3
-
\Windows\system\spoolsv.exeFilesize
2.2MB
MD5d38965530f52771037ee42d931cf6b16
SHA1e6d8d398decb15f48b59915692174b90a9738f62
SHA256a9dadf792da84e41618bb73dcff656d7fb2f35532bd7143078c4c5503281ec4a
SHA51218af0540ae2b56fac7c4fb83dfd3ed33fe25a3266882fedee695ddb4fb3403ca6de8307fef45e237ef0b39daf0cd479267a4258c5bdb0cb5e164c6b1c9e74251
-
memory/340-3102-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/448-2584-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/768-3107-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/828-3497-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/904-3496-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1020-3493-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1064-2583-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1196-3100-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1352-3494-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1448-3490-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1592-2581-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1616-3098-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1656-2576-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1728-2586-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1832-17-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1832-0-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1832-28-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1956-3095-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2044-3099-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2068-3103-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2080-2585-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2148-3101-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2172-2575-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2240-3108-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2328-3495-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2332-3109-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2380-3104-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2432-3491-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2460-3105-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2492-3096-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2580-43-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2580-69-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2580-61-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2644-3106-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2684-32-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2684-50-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2684-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2684-23-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2684-26-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2684-31-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2684-19-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2700-3097-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2908-3498-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3068-3492-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4452-5470-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4452-5521-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4592-5481-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4648-5519-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5760-5622-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5760-5694-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5972-5724-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/6564-5648-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/7088-5690-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB