Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 07:59
Behavioral task
behavioral1
Sample
a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8a28f336965cbf08f41ccce54aee62b
-
SHA1
5b4de10d53ca96f6f92a2ec93448fcbfd35001a3
-
SHA256
efa9ec3576b15a79338be13314f76971f90ebe6c6604a39e237ed541c80af51b
-
SHA512
c2aaa4549844dac58d11fef68757366e13bba60b41bf4eec6a45caeabc54d2406fdc9e66ffe2af62cf11bdac67f3af8fbeb58351bd4eee9d95e64fe20bd894ba
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZd:0UzeyQMS4DqodCnoe+iitjWwwh
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 4464 explorer.exe 4376 explorer.exe 4340 spoolsv.exe 4524 spoolsv.exe 3816 spoolsv.exe 3032 spoolsv.exe 4568 spoolsv.exe 4808 spoolsv.exe 5076 spoolsv.exe 3112 spoolsv.exe 2948 spoolsv.exe 2300 spoolsv.exe 3324 spoolsv.exe 4292 spoolsv.exe 1196 spoolsv.exe 4996 spoolsv.exe 1480 spoolsv.exe 3036 spoolsv.exe 4368 spoolsv.exe 3924 spoolsv.exe 640 spoolsv.exe 3068 spoolsv.exe 3172 spoolsv.exe 3812 spoolsv.exe 2044 spoolsv.exe 452 spoolsv.exe 560 spoolsv.exe 3576 spoolsv.exe 4008 spoolsv.exe 5012 spoolsv.exe 3064 spoolsv.exe 3984 spoolsv.exe 2236 spoolsv.exe 4956 explorer.exe 1680 spoolsv.exe 536 spoolsv.exe 744 spoolsv.exe 3752 spoolsv.exe 4892 spoolsv.exe 1224 spoolsv.exe 856 explorer.exe 1932 spoolsv.exe 1708 spoolsv.exe 1984 spoolsv.exe 4480 spoolsv.exe 3596 spoolsv.exe 612 spoolsv.exe 4484 explorer.exe 220 spoolsv.exe 4736 spoolsv.exe 2316 spoolsv.exe 2116 spoolsv.exe 3092 spoolsv.exe 2344 explorer.exe 2264 spoolsv.exe 888 spoolsv.exe 4072 spoolsv.exe 3612 spoolsv.exe 2180 spoolsv.exe 2632 spoolsv.exe 2764 spoolsv.exe 4244 spoolsv.exe 3676 explorer.exe 3244 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
Processes:
a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 540 set thread context of 3668 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe PID 4464 set thread context of 4376 4464 explorer.exe explorer.exe PID 4340 set thread context of 2236 4340 spoolsv.exe spoolsv.exe PID 4524 set thread context of 1680 4524 spoolsv.exe spoolsv.exe PID 3816 set thread context of 536 3816 spoolsv.exe spoolsv.exe PID 3032 set thread context of 744 3032 spoolsv.exe spoolsv.exe PID 4568 set thread context of 3752 4568 spoolsv.exe spoolsv.exe PID 4808 set thread context of 1224 4808 spoolsv.exe spoolsv.exe PID 5076 set thread context of 1932 5076 spoolsv.exe spoolsv.exe PID 3112 set thread context of 1708 3112 spoolsv.exe spoolsv.exe PID 2948 set thread context of 1984 2948 spoolsv.exe spoolsv.exe PID 2300 set thread context of 4480 2300 spoolsv.exe spoolsv.exe PID 3324 set thread context of 612 3324 spoolsv.exe spoolsv.exe PID 4292 set thread context of 220 4292 spoolsv.exe spoolsv.exe PID 1196 set thread context of 4736 1196 spoolsv.exe spoolsv.exe PID 4996 set thread context of 2316 4996 spoolsv.exe spoolsv.exe PID 1480 set thread context of 3092 1480 spoolsv.exe spoolsv.exe PID 3036 set thread context of 2264 3036 spoolsv.exe spoolsv.exe PID 4368 set thread context of 888 4368 spoolsv.exe spoolsv.exe PID 3924 set thread context of 4072 3924 spoolsv.exe spoolsv.exe PID 640 set thread context of 3612 640 spoolsv.exe spoolsv.exe PID 3068 set thread context of 2180 3068 spoolsv.exe spoolsv.exe PID 3172 set thread context of 2764 3172 spoolsv.exe spoolsv.exe PID 3812 set thread context of 4244 3812 spoolsv.exe spoolsv.exe PID 2044 set thread context of 3244 2044 spoolsv.exe spoolsv.exe PID 452 set thread context of 4880 452 spoolsv.exe spoolsv.exe PID 560 set thread context of 2832 560 spoolsv.exe spoolsv.exe PID 3576 set thread context of 3608 3576 spoolsv.exe spoolsv.exe PID 4008 set thread context of 3744 4008 spoolsv.exe spoolsv.exe PID 5012 set thread context of 4908 5012 spoolsv.exe spoolsv.exe PID 3064 set thread context of 4876 3064 spoolsv.exe spoolsv.exe PID 3984 set thread context of 3952 3984 spoolsv.exe spoolsv.exe PID 4956 set thread context of 3376 4956 explorer.exe explorer.exe PID 4892 set thread context of 2876 4892 spoolsv.exe spoolsv.exe PID 856 set thread context of 3156 856 explorer.exe explorer.exe PID 3596 set thread context of 436 3596 spoolsv.exe spoolsv.exe PID 4484 set thread context of 1532 4484 explorer.exe explorer.exe PID 2116 set thread context of 2084 2116 spoolsv.exe spoolsv.exe PID 2344 set thread context of 4904 2344 explorer.exe explorer.exe PID 2632 set thread context of 2792 2632 spoolsv.exe spoolsv.exe PID 3676 set thread context of 2984 3676 explorer.exe explorer.exe PID 3372 set thread context of 1000 3372 spoolsv.exe spoolsv.exe PID 3476 set thread context of 3300 3476 explorer.exe explorer.exe PID 4288 set thread context of 4836 4288 spoolsv.exe spoolsv.exe PID 3436 set thread context of 1736 3436 explorer.exe explorer.exe PID 3096 set thread context of 2216 3096 spoolsv.exe spoolsv.exe PID 4196 set thread context of 2308 4196 spoolsv.exe spoolsv.exe PID 2024 set thread context of 4312 2024 spoolsv.exe spoolsv.exe PID 3912 set thread context of 4724 3912 explorer.exe explorer.exe PID 2280 set thread context of 4432 2280 spoolsv.exe spoolsv.exe PID 2784 set thread context of 4588 2784 spoolsv.exe spoolsv.exe PID 944 set thread context of 380 944 spoolsv.exe spoolsv.exe PID 540 set thread context of 3788 540 explorer.exe explorer.exe PID 1620 set thread context of 2896 1620 spoolsv.exe spoolsv.exe PID 5064 set thread context of 3828 5064 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exea8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exea8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exeexplorer.exepid process 3668 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe 3668 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4376 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3668 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe 3668 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 2236 spoolsv.exe 2236 spoolsv.exe 1680 spoolsv.exe 1680 spoolsv.exe 536 spoolsv.exe 536 spoolsv.exe 744 spoolsv.exe 744 spoolsv.exe 3752 spoolsv.exe 3752 spoolsv.exe 1224 spoolsv.exe 1224 spoolsv.exe 1932 spoolsv.exe 1932 spoolsv.exe 1708 spoolsv.exe 1708 spoolsv.exe 1984 spoolsv.exe 1984 spoolsv.exe 4480 spoolsv.exe 4480 spoolsv.exe 612 spoolsv.exe 612 spoolsv.exe 220 spoolsv.exe 220 spoolsv.exe 4736 spoolsv.exe 4736 spoolsv.exe 2316 spoolsv.exe 2316 spoolsv.exe 3092 spoolsv.exe 3092 spoolsv.exe 2264 spoolsv.exe 2264 spoolsv.exe 888 spoolsv.exe 888 spoolsv.exe 4072 spoolsv.exe 4072 spoolsv.exe 3612 spoolsv.exe 3612 spoolsv.exe 2180 spoolsv.exe 2180 spoolsv.exe 2764 spoolsv.exe 2764 spoolsv.exe 4244 spoolsv.exe 4244 spoolsv.exe 3244 spoolsv.exe 3244 spoolsv.exe 4880 spoolsv.exe 4880 spoolsv.exe 2832 spoolsv.exe 2832 spoolsv.exe 3608 spoolsv.exe 3608 spoolsv.exe 3744 spoolsv.exe 3744 spoolsv.exe 4908 spoolsv.exe 4908 spoolsv.exe 4876 spoolsv.exe 4876 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exea8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 540 wrote to memory of 4332 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe splwow64.exe PID 540 wrote to memory of 4332 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe splwow64.exe PID 540 wrote to memory of 3668 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe PID 540 wrote to memory of 3668 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe PID 540 wrote to memory of 3668 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe PID 540 wrote to memory of 3668 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe PID 540 wrote to memory of 3668 540 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe PID 3668 wrote to memory of 4464 3668 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe explorer.exe PID 3668 wrote to memory of 4464 3668 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe explorer.exe PID 3668 wrote to memory of 4464 3668 a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe explorer.exe PID 4464 wrote to memory of 4376 4464 explorer.exe explorer.exe PID 4464 wrote to memory of 4376 4464 explorer.exe explorer.exe PID 4464 wrote to memory of 4376 4464 explorer.exe explorer.exe PID 4464 wrote to memory of 4376 4464 explorer.exe explorer.exe PID 4464 wrote to memory of 4376 4464 explorer.exe explorer.exe PID 4376 wrote to memory of 4340 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4340 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4340 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4524 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4524 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4524 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3816 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3816 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3816 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3032 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3032 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3032 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4568 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4568 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4568 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4808 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4808 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4808 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 5076 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 5076 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 5076 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3112 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3112 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3112 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 2948 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 2948 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 2948 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 2300 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 2300 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 2300 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3324 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3324 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3324 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4292 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4292 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4292 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 1196 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 1196 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 1196 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4996 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4996 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4996 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 1480 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 1480 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 1480 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3036 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3036 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 3036 4376 explorer.exe spoolsv.exe PID 4376 wrote to memory of 4368 4376 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a28f336965cbf08f41ccce54aee62b_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD5d8595220685e862d5bcae8e7a691e690
SHA1b78a0603ba362210ea226467247ccb91a4981ab4
SHA2563db50ecd4739c2721f729cf1d05b9502393c24be2dc5f21b62887b6056a24ce4
SHA51225f4a57716d5bfb2cb3d483a35e586fc888c516cabc204ae4afaef86938940bc769a3b456ba6fe857f579f9fdaa35268912a8151f87605c180632926fc1731fc
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD5d3ba103f02066ec79a7e820efded1810
SHA115d7220a992beb10434e5820a80867ac4f492359
SHA256f3f3ac68729dd01d8cdf07fcd64b008859ff70eacf0d967209b0e3357df0c8fc
SHA512bbf71257a6a559751f9ed9377d67279e50bdeeb93050fe4b2a1b47ec7491b2b4b4d371be226db287f2285678c0ce722a0d56fd67d505c9b0d29bd209fbcb3f3b
-
memory/220-2374-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/380-4884-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/436-3892-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/536-2023-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/540-52-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/540-48-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/540-0-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/540-46-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/612-2365-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/612-2519-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/640-2000-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/744-2033-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/744-2037-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/888-2580-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1000-4500-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1000-4673-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1196-1739-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1224-2178-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1224-2345-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1480-1741-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1532-3902-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1680-2012-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1708-2197-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1736-4532-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1932-2187-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1984-2209-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2044-2031-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2084-4219-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2084-4120-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2180-2609-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2216-4539-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2216-4541-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2236-2155-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2236-2002-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2264-2570-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2300-1528-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2316-2395-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2792-4296-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2832-2915-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2832-3062-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2876-3588-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2876-3720-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2896-4985-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2896-4990-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2948-1335-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2984-4305-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3032-1030-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3036-1895-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3068-2001-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3092-2562-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3112-1334-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3156-3598-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3156-3595-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3172-2015-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3300-4509-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3324-1529-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3376-3327-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3608-2922-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3608-2926-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3612-2600-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3668-49-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3668-51-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3668-84-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3668-82-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/3744-2934-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3752-2045-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3788-4894-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3812-2025-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3816-1029-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3816-2022-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3924-1999-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3952-3450-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3952-3319-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4072-2590-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4244-2898-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4244-2773-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4292-1530-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4312-4768-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4340-2003-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4340-832-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4368-1896-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4376-95-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4376-831-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4432-4785-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4464-90-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4464-96-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4480-2277-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4480-2218-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4524-1028-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4524-2010-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4568-1176-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4724-4778-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4736-2385-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4808-1192-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4836-4520-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4876-3181-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4880-2795-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4880-2790-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4904-4131-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4996-1740-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5076-1193-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB