Analysis
-
max time kernel
141s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 07:52
Behavioral task
behavioral1
Sample
a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a89b525f6718302e5c9b37dc32ba6cfa
-
SHA1
f523df3371a5af17667a7679801f2b54539a5a52
-
SHA256
caf655bb9e9b504f8f18fd6a52710c5510e7baec78b7b43b54a9d7e064cd6da4
-
SHA512
41724e4045cecc3314e7edcba0d282d5f343fbb6f3ceccdf8d50a72cd5dfb9663a35840579f2967aa1537bc38492dc711c06e099c318611a0811d59c6f9f22db
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZS:0UzeyQMS4DqodCnoe+iitjWwwm
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3012 explorer.exe 1756 explorer.exe 440 spoolsv.exe 2852 spoolsv.exe 2692 spoolsv.exe 2956 spoolsv.exe 2488 spoolsv.exe 5076 spoolsv.exe 2264 spoolsv.exe 3452 spoolsv.exe 3972 spoolsv.exe 1352 spoolsv.exe 5024 spoolsv.exe 1476 spoolsv.exe 4060 spoolsv.exe 1208 spoolsv.exe 540 spoolsv.exe 3836 spoolsv.exe 4316 spoolsv.exe 1312 spoolsv.exe 1580 spoolsv.exe 4732 spoolsv.exe 3996 spoolsv.exe 4100 spoolsv.exe 2936 spoolsv.exe 2880 spoolsv.exe 2868 spoolsv.exe 5016 spoolsv.exe 2624 spoolsv.exe 4716 spoolsv.exe 2052 spoolsv.exe 1840 spoolsv.exe 4484 spoolsv.exe 4816 explorer.exe 3012 spoolsv.exe 4812 spoolsv.exe 4624 explorer.exe 5012 spoolsv.exe 884 spoolsv.exe 2924 spoolsv.exe 4020 explorer.exe 2340 spoolsv.exe 1748 spoolsv.exe 4412 spoolsv.exe 3216 spoolsv.exe 952 spoolsv.exe 1076 explorer.exe 3140 spoolsv.exe 3224 spoolsv.exe 2372 spoolsv.exe 64 spoolsv.exe 1136 spoolsv.exe 4952 explorer.exe 4464 spoolsv.exe 2176 spoolsv.exe 3020 spoolsv.exe 3540 spoolsv.exe 4648 spoolsv.exe 3776 explorer.exe 448 spoolsv.exe 4588 spoolsv.exe 388 spoolsv.exe 1844 spoolsv.exe 2972 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 49 IoCs
Processes:
a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 3200 set thread context of 1888 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe PID 3012 set thread context of 1756 3012 explorer.exe explorer.exe PID 440 set thread context of 4484 440 spoolsv.exe spoolsv.exe PID 2852 set thread context of 4812 2852 spoolsv.exe spoolsv.exe PID 2692 set thread context of 5012 2692 spoolsv.exe spoolsv.exe PID 2956 set thread context of 2924 2956 spoolsv.exe spoolsv.exe PID 2488 set thread context of 2340 2488 spoolsv.exe spoolsv.exe PID 5076 set thread context of 1748 5076 spoolsv.exe spoolsv.exe PID 2264 set thread context of 4412 2264 spoolsv.exe spoolsv.exe PID 3452 set thread context of 952 3452 spoolsv.exe spoolsv.exe PID 3972 set thread context of 3140 3972 spoolsv.exe spoolsv.exe PID 1352 set thread context of 3224 1352 spoolsv.exe spoolsv.exe PID 5024 set thread context of 2372 5024 spoolsv.exe spoolsv.exe PID 1476 set thread context of 1136 1476 spoolsv.exe spoolsv.exe PID 4060 set thread context of 4464 4060 spoolsv.exe spoolsv.exe PID 1208 set thread context of 2176 1208 spoolsv.exe spoolsv.exe PID 540 set thread context of 3540 540 spoolsv.exe spoolsv.exe PID 3836 set thread context of 4648 3836 spoolsv.exe spoolsv.exe PID 4316 set thread context of 448 4316 spoolsv.exe spoolsv.exe PID 1312 set thread context of 4588 1312 spoolsv.exe spoolsv.exe PID 1580 set thread context of 388 1580 spoolsv.exe spoolsv.exe PID 4732 set thread context of 2972 4732 spoolsv.exe spoolsv.exe PID 3996 set thread context of 4788 3996 spoolsv.exe spoolsv.exe PID 4100 set thread context of 664 4100 spoolsv.exe spoolsv.exe PID 2936 set thread context of 3064 2936 spoolsv.exe spoolsv.exe PID 2880 set thread context of 556 2880 spoolsv.exe spoolsv.exe PID 2868 set thread context of 4012 2868 spoolsv.exe spoolsv.exe PID 5016 set thread context of 1256 5016 spoolsv.exe spoolsv.exe PID 2624 set thread context of 332 2624 spoolsv.exe spoolsv.exe PID 4716 set thread context of 5052 4716 spoolsv.exe spoolsv.exe PID 2052 set thread context of 1540 2052 spoolsv.exe spoolsv.exe PID 1840 set thread context of 1048 1840 spoolsv.exe spoolsv.exe PID 4816 set thread context of 4976 4816 explorer.exe explorer.exe PID 3012 set thread context of 1820 3012 spoolsv.exe spoolsv.exe PID 4624 set thread context of 3960 4624 explorer.exe explorer.exe PID 884 set thread context of 2016 884 spoolsv.exe spoolsv.exe PID 4020 set thread context of 4860 4020 explorer.exe explorer.exe PID 3216 set thread context of 808 3216 spoolsv.exe spoolsv.exe PID 1076 set thread context of 5028 1076 explorer.exe explorer.exe PID 64 set thread context of 1348 64 spoolsv.exe spoolsv.exe PID 4952 set thread context of 2656 4952 explorer.exe explorer.exe PID 3776 set thread context of 4656 3776 explorer.exe explorer.exe PID 3020 set thread context of 3828 3020 spoolsv.exe spoolsv.exe PID 1844 set thread context of 2268 1844 spoolsv.exe spoolsv.exe PID 4984 set thread context of 1784 4984 explorer.exe explorer.exe PID 3156 set thread context of 4628 3156 explorer.exe explorer.exe PID 3548 set thread context of 3504 3548 spoolsv.exe spoolsv.exe PID 4280 set thread context of 4540 4280 explorer.exe explorer.exe PID 3008 set thread context of 544 3008 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exeexplorer.exepid process 1888 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe 1888 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1756 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1888 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe 1888 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 1756 explorer.exe 4484 spoolsv.exe 4484 spoolsv.exe 4812 spoolsv.exe 4812 spoolsv.exe 5012 spoolsv.exe 5012 spoolsv.exe 2924 spoolsv.exe 2924 spoolsv.exe 2340 spoolsv.exe 2340 spoolsv.exe 1748 spoolsv.exe 1748 spoolsv.exe 4412 spoolsv.exe 4412 spoolsv.exe 952 spoolsv.exe 952 spoolsv.exe 3140 spoolsv.exe 3140 spoolsv.exe 3224 spoolsv.exe 3224 spoolsv.exe 2372 spoolsv.exe 2372 spoolsv.exe 1136 spoolsv.exe 1136 spoolsv.exe 4464 spoolsv.exe 4464 spoolsv.exe 2176 spoolsv.exe 2176 spoolsv.exe 3540 spoolsv.exe 3540 spoolsv.exe 4648 spoolsv.exe 4648 spoolsv.exe 448 spoolsv.exe 448 spoolsv.exe 4588 spoolsv.exe 4588 spoolsv.exe 388 spoolsv.exe 388 spoolsv.exe 2972 spoolsv.exe 2972 spoolsv.exe 4788 spoolsv.exe 4788 spoolsv.exe 664 spoolsv.exe 664 spoolsv.exe 3064 spoolsv.exe 3064 spoolsv.exe 556 spoolsv.exe 556 spoolsv.exe 4012 spoolsv.exe 4012 spoolsv.exe 1256 spoolsv.exe 1256 spoolsv.exe 332 spoolsv.exe 332 spoolsv.exe 5052 spoolsv.exe 5052 spoolsv.exe 1540 spoolsv.exe 1540 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exea89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 3200 wrote to memory of 4668 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe splwow64.exe PID 3200 wrote to memory of 4668 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe splwow64.exe PID 3200 wrote to memory of 1888 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe PID 3200 wrote to memory of 1888 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe PID 3200 wrote to memory of 1888 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe PID 3200 wrote to memory of 1888 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe PID 3200 wrote to memory of 1888 3200 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe PID 1888 wrote to memory of 3012 1888 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe explorer.exe PID 1888 wrote to memory of 3012 1888 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe explorer.exe PID 1888 wrote to memory of 3012 1888 a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe explorer.exe PID 3012 wrote to memory of 1756 3012 explorer.exe explorer.exe PID 3012 wrote to memory of 1756 3012 explorer.exe explorer.exe PID 3012 wrote to memory of 1756 3012 explorer.exe explorer.exe PID 3012 wrote to memory of 1756 3012 explorer.exe explorer.exe PID 3012 wrote to memory of 1756 3012 explorer.exe explorer.exe PID 1756 wrote to memory of 440 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 440 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 440 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2852 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2852 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2852 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2692 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2692 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2692 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2956 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2956 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2956 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2488 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2488 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2488 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 5076 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 5076 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 5076 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2264 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2264 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 2264 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3452 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3452 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3452 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3972 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3972 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3972 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1352 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1352 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1352 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 5024 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 5024 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 5024 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1476 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1476 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1476 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 4060 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 4060 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 4060 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1208 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1208 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 1208 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 540 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 540 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 540 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3836 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3836 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 3836 1756 explorer.exe spoolsv.exe PID 1756 wrote to memory of 4316 1756 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a89b525f6718302e5c9b37dc32ba6cfa_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD5374fe21eea0a51b08da25f58cb2fa28f
SHA19319f62a5c69b215e385eae45d56c22aac032ac6
SHA256d17e9f7c2004e63aa4d21c8016a119447f966766842f63f510236fd30522c904
SHA512e013bb923997050e94943a29c1c38136d10cb17938161aca9fd43b2361b577c26109972225bb130dcba9f88eb7167c3b8473efae3017daaebd947283b47f9168
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD5b8afe4122e693c709863d51b69668993
SHA18a0433624d6a8dec07f1ce6509a13c044c4f084d
SHA2565f279c2426e07dbd4a89f4d83b380302bfc91ed6ce2cea0ac299c58a3f6a1ba8
SHA512d3a93a8ae2200829635e0a1f72a914649d233d207d6235fa04921b4f8cdd1da0cb2f1a35da9bf28f618ae348d4a00f0cdd2f163d11b99d3d16fa7c1b917ff889
-
memory/332-3182-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/388-2862-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/396-5446-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/440-2032-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/440-811-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/448-2843-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/540-1883-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/544-4963-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/556-3247-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/556-3155-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/808-3738-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/808-3850-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/952-2653-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/952-2491-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1048-3360-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1136-2818-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1136-2671-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1208-1680-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1256-3173-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1312-2030-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1348-3980-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1352-1549-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1476-1678-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1540-3347-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1580-2183-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1616-5221-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1748-2330-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1756-101-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1756-810-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1784-4465-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1784-4462-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1816-5437-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1820-3381-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-90-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-44-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-47-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-88-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/2016-3541-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2176-2691-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2264-1338-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2268-4388-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2340-2321-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2372-2535-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2488-1151-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2656-3987-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2656-3991-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2692-2195-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2692-994-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2852-812-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2852-2180-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2924-2481-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2956-2311-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2956-995-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2972-2970-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2972-3102-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3012-96-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3012-102-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3064-2999-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3140-2510-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3200-48-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3200-0-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/3200-43-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/3200-41-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3224-2521-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3452-1339-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3504-4720-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3504-4622-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3828-4297-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3828-4185-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3836-1884-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3960-3391-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3972-1340-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3996-2193-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4060-1679-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4100-2307-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4316-1885-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4412-2341-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4464-2682-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4484-2031-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4484-2164-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4540-4797-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4588-2852-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4628-4614-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4648-2896-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4648-2826-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4656-4178-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4704-5213-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4732-2184-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4812-2293-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4812-2185-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4860-3549-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4976-3372-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5012-2194-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5024-1550-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5028-3797-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5044-4984-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5044-5122-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5052-3434-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5052-3262-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5076-1152-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5088-5334-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB