Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 07:47
Behavioral task
behavioral1
Sample
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8976302e11e9f4a69ceb2d5df1a09dc
-
SHA1
05dab2caf1f696bd7adfd3a0e2b8ba03530d8e22
-
SHA256
be017f3334ba46b541a51c408498e36451c0a50bcf6029fd1bb36395790663e7
-
SHA512
76c8f091026a2f24020913805df6559b0a9354ec68fc6bbbe636bdca1d901005acc004a1129730e0681f6bd363ea079b6bb7c47a27d6c4fc4c59958cd022f7e5
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZK:0UzeyQMS4DqodCnoe+iitjWwwO
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 3116 explorer.exe 1000 explorer.exe 4688 spoolsv.exe 2884 spoolsv.exe 3372 spoolsv.exe 5116 spoolsv.exe 4532 spoolsv.exe 3016 spoolsv.exe 4388 spoolsv.exe 1772 spoolsv.exe 3808 spoolsv.exe 1232 spoolsv.exe 3012 spoolsv.exe 4812 spoolsv.exe 1516 spoolsv.exe 4384 spoolsv.exe 1648 spoolsv.exe 1344 spoolsv.exe 4992 spoolsv.exe 2736 spoolsv.exe 864 spoolsv.exe 388 spoolsv.exe 4536 spoolsv.exe 3200 spoolsv.exe 3872 spoolsv.exe 3316 spoolsv.exe 1084 spoolsv.exe 2672 spoolsv.exe 1244 spoolsv.exe 1108 spoolsv.exe 2448 spoolsv.exe 860 spoolsv.exe 4740 spoolsv.exe 4272 spoolsv.exe 3588 spoolsv.exe 4928 spoolsv.exe 208 spoolsv.exe 2728 explorer.exe 4560 spoolsv.exe 1876 spoolsv.exe 4236 spoolsv.exe 868 spoolsv.exe 3524 spoolsv.exe 3020 spoolsv.exe 3732 spoolsv.exe 4300 spoolsv.exe 2896 explorer.exe 2404 spoolsv.exe 3876 spoolsv.exe 4200 spoolsv.exe 4204 spoolsv.exe 228 spoolsv.exe 3340 spoolsv.exe 824 spoolsv.exe 1184 spoolsv.exe 2176 explorer.exe 1136 spoolsv.exe 548 spoolsv.exe 3568 spoolsv.exe 4024 spoolsv.exe 532 spoolsv.exe 2284 spoolsv.exe 668 explorer.exe 4448 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 2872 set thread context of 3980 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 3116 set thread context of 1000 3116 explorer.exe explorer.exe PID 4688 set thread context of 208 4688 spoolsv.exe spoolsv.exe PID 2884 set thread context of 4560 2884 spoolsv.exe spoolsv.exe PID 3372 set thread context of 1876 3372 spoolsv.exe spoolsv.exe PID 5116 set thread context of 4236 5116 spoolsv.exe spoolsv.exe PID 4532 set thread context of 868 4532 spoolsv.exe spoolsv.exe PID 3016 set thread context of 3524 3016 spoolsv.exe spoolsv.exe PID 4388 set thread context of 3732 4388 spoolsv.exe spoolsv.exe PID 1772 set thread context of 4300 1772 spoolsv.exe spoolsv.exe PID 3808 set thread context of 2404 3808 spoolsv.exe spoolsv.exe PID 1232 set thread context of 3876 1232 spoolsv.exe spoolsv.exe PID 3012 set thread context of 4200 3012 spoolsv.exe spoolsv.exe PID 4812 set thread context of 4204 4812 spoolsv.exe spoolsv.exe PID 1516 set thread context of 228 1516 spoolsv.exe spoolsv.exe PID 4384 set thread context of 824 4384 spoolsv.exe spoolsv.exe PID 1648 set thread context of 1184 1648 spoolsv.exe spoolsv.exe PID 1344 set thread context of 1136 1344 spoolsv.exe spoolsv.exe PID 4992 set thread context of 548 4992 spoolsv.exe spoolsv.exe PID 2736 set thread context of 3568 2736 spoolsv.exe spoolsv.exe PID 864 set thread context of 532 864 spoolsv.exe spoolsv.exe PID 388 set thread context of 2284 388 spoolsv.exe spoolsv.exe PID 4536 set thread context of 4448 4536 spoolsv.exe spoolsv.exe PID 3200 set thread context of 312 3200 spoolsv.exe spoolsv.exe PID 3872 set thread context of 1068 3872 spoolsv.exe spoolsv.exe PID 3316 set thread context of 2888 3316 spoolsv.exe spoolsv.exe PID 1084 set thread context of 2360 1084 spoolsv.exe spoolsv.exe PID 2672 set thread context of 3304 2672 spoolsv.exe spoolsv.exe PID 1244 set thread context of 2796 1244 spoolsv.exe spoolsv.exe PID 1108 set thread context of 4484 1108 spoolsv.exe spoolsv.exe PID 2448 set thread context of 3028 2448 spoolsv.exe spoolsv.exe PID 860 set thread context of 2660 860 spoolsv.exe spoolsv.exe PID 4740 set thread context of 2712 4740 spoolsv.exe spoolsv.exe PID 4272 set thread context of 1992 4272 spoolsv.exe spoolsv.exe PID 3588 set thread context of 2120 3588 spoolsv.exe spoolsv.exe PID 4928 set thread context of 3224 4928 spoolsv.exe spoolsv.exe PID 2728 set thread context of 5096 2728 explorer.exe explorer.exe PID 3020 set thread context of 1508 3020 spoolsv.exe spoolsv.exe PID 2896 set thread context of 3228 2896 explorer.exe explorer.exe PID 3340 set thread context of 4404 3340 spoolsv.exe spoolsv.exe PID 2176 set thread context of 1372 2176 explorer.exe explorer.exe PID 4024 set thread context of 3256 4024 spoolsv.exe spoolsv.exe PID 668 set thread context of 3792 668 explorer.exe explorer.exe PID 2700 set thread context of 3112 2700 spoolsv.exe spoolsv.exe PID 3232 set thread context of 1676 3232 explorer.exe explorer.exe PID 3788 set thread context of 3580 3788 spoolsv.exe spoolsv.exe PID 728 set thread context of 4124 728 explorer.exe explorer.exe PID 116 set thread context of 5060 116 spoolsv.exe spoolsv.exe PID 5056 set thread context of 1828 5056 explorer.exe explorer.exe PID 4276 set thread context of 2348 4276 spoolsv.exe spoolsv.exe PID 4036 set thread context of 4776 4036 spoolsv.exe spoolsv.exe PID 2504 set thread context of 2836 2504 spoolsv.exe spoolsv.exe PID 4420 set thread context of 2440 4420 spoolsv.exe spoolsv.exe PID 1672 set thread context of 3920 1672 explorer.exe explorer.exe PID 4612 set thread context of 2760 4612 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exepid process 3980 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 3980 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1000 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3980 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 3980 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 208 spoolsv.exe 208 spoolsv.exe 4560 spoolsv.exe 4560 spoolsv.exe 1876 spoolsv.exe 1876 spoolsv.exe 4236 spoolsv.exe 4236 spoolsv.exe 868 spoolsv.exe 868 spoolsv.exe 3524 spoolsv.exe 3524 spoolsv.exe 3732 spoolsv.exe 3732 spoolsv.exe 4300 spoolsv.exe 4300 spoolsv.exe 2404 spoolsv.exe 2404 spoolsv.exe 3876 spoolsv.exe 3876 spoolsv.exe 4200 spoolsv.exe 4200 spoolsv.exe 4204 spoolsv.exe 4204 spoolsv.exe 228 spoolsv.exe 228 spoolsv.exe 824 spoolsv.exe 824 spoolsv.exe 1184 spoolsv.exe 1184 spoolsv.exe 1136 spoolsv.exe 1136 spoolsv.exe 548 spoolsv.exe 548 spoolsv.exe 3568 spoolsv.exe 3568 spoolsv.exe 532 spoolsv.exe 532 spoolsv.exe 2284 spoolsv.exe 2284 spoolsv.exe 4448 spoolsv.exe 4448 spoolsv.exe 1068 spoolsv.exe 1068 spoolsv.exe 2888 spoolsv.exe 2888 spoolsv.exe 2360 spoolsv.exe 2360 spoolsv.exe 3304 spoolsv.exe 3304 spoolsv.exe 2796 spoolsv.exe 2796 spoolsv.exe 4484 spoolsv.exe 4484 spoolsv.exe 3028 spoolsv.exe 3028 spoolsv.exe 2660 spoolsv.exe 2660 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exea8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 2872 wrote to memory of 3088 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe splwow64.exe PID 2872 wrote to memory of 3088 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe splwow64.exe PID 2872 wrote to memory of 3980 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 2872 wrote to memory of 3980 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 2872 wrote to memory of 3980 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 2872 wrote to memory of 3980 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 2872 wrote to memory of 3980 2872 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe PID 3980 wrote to memory of 3116 3980 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe explorer.exe PID 3980 wrote to memory of 3116 3980 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe explorer.exe PID 3980 wrote to memory of 3116 3980 a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe explorer.exe PID 3116 wrote to memory of 1000 3116 explorer.exe explorer.exe PID 3116 wrote to memory of 1000 3116 explorer.exe explorer.exe PID 3116 wrote to memory of 1000 3116 explorer.exe explorer.exe PID 3116 wrote to memory of 1000 3116 explorer.exe explorer.exe PID 3116 wrote to memory of 1000 3116 explorer.exe explorer.exe PID 1000 wrote to memory of 4688 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4688 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4688 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 2884 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 2884 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 2884 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3372 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3372 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3372 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 5116 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 5116 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 5116 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4532 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4532 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4532 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3016 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3016 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3016 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4388 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4388 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4388 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1772 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1772 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1772 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3808 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3808 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3808 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1232 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1232 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1232 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3012 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3012 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 3012 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4812 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4812 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4812 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1516 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1516 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1516 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4384 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4384 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4384 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1648 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1648 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1648 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1344 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1344 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 1344 1000 explorer.exe spoolsv.exe PID 1000 wrote to memory of 4992 1000 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8976302e11e9f4a69ceb2d5df1a09dc_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD58b08aa0a04e5be1052ba1e0b81a08f64
SHA194f7e0955e60a1a2a86eef773133249832d2ca24
SHA256409d68daef10252a463dfc6f933ea65f3e3ecc8281d82ceb2a826f62a20e1e3b
SHA5122ed5ab86b6705cb533ffafbd26ee45cab36bc7a529e0fcd72258dd901badd6aecec41bbf9e16c6077f4d4fc26fc518af775555c5d033a0c0b37297a2e2ba95d1
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD55760346d333d57f2f3d191504d056516
SHA1c3db99080ccd947c2c5bd9e4d37eea56cb61126b
SHA2562b918e2e7960b40a092f488e99e86b54baabdd80eb62d49ae906526f25a2f0b5
SHA5121f39304183b12722b45af9fb94f2580f9252171b1fe75692e669843c6516915f0eb8e5dc2f3139af4a28188f16483c10d129b27c7da5697cc714887578e6911a
-
memory/208-2358-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/208-2573-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/228-2657-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/312-3073-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/312-3069-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/388-2263-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/532-2961-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/824-2737-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/864-2262-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/868-2401-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1000-100-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1000-1064-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1068-3155-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1136-2839-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1184-2830-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1184-3027-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1232-1669-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1344-2035-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1372-4622-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1508-4290-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1516-1859-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1648-2034-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1676-5063-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1772-1452-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1828-5356-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1876-2380-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1992-3587-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1992-3696-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2068-6116-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2068-6243-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2120-3671-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2120-3678-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2284-3056-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2284-3210-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2348-5472-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2348-5622-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2360-3396-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2360-3227-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2404-2599-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2440-5812-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2660-3430-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2712-3507-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2736-2261-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2760-5912-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2760-6013-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2796-3256-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2836-5726-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2872-48-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/2872-52-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2872-46-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2872-0-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/2884-2360-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2884-1201-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2888-3179-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3012-1670-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3016-1445-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3028-3422-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3112-5053-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3112-5170-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3116-101-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3116-95-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3200-2357-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3224-3908-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3224-4062-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3228-4412-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3256-4816-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3256-4935-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3304-3236-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3316-2379-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3372-2376-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3372-1202-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3524-2447-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3568-2875-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3568-2856-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3580-5255-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3580-5384-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3732-2518-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3792-4955-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3808-1668-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3872-2364-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3876-2611-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3980-51-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3980-84-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3980-49-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3980-82-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/4032-6210-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4124-5325-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4200-2621-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4204-2632-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4236-2389-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4300-2591-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4384-1860-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4388-1446-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4404-4679-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4404-4548-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4448-3064-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4484-3414-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4532-1444-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4536-2356-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4560-2367-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4560-2370-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4688-1065-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4688-2353-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4692-6035-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4760-6271-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4776-5571-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4812-1858-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4992-2056-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5096-3999-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5116-1203-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB