Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:04
Behavioral task
behavioral1
Sample
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8a73cfa81faba2406e9d5667bb2e1bb
-
SHA1
bee5a324ee2a725507189bb65e1750f0a6e8d152
-
SHA256
0156d1f5123b44015999b9c8ba3b431fb5a7cbc35f4a4a8e898801c536a01d81
-
SHA512
05c441f4e460fdfea233b604021ec53258c9e3c8436b14eb6b9c42dba744a75ca8040494548fadefbd4044ae888442b50bdc75e2749ef41a02a709f56eca1bc7
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZr:0UzeyQMS4DqodCnoe+iitjWwwv
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3344 explorer.exe 5084 explorer.exe 760 spoolsv.exe 4504 spoolsv.exe 4132 spoolsv.exe 5032 spoolsv.exe 2752 spoolsv.exe 1892 spoolsv.exe 4948 spoolsv.exe 2180 spoolsv.exe 3436 spoolsv.exe 1396 spoolsv.exe 4636 spoolsv.exe 4852 spoolsv.exe 4972 spoolsv.exe 3868 spoolsv.exe 4916 spoolsv.exe 2440 spoolsv.exe 3632 spoolsv.exe 3920 spoolsv.exe 3672 spoolsv.exe 2344 spoolsv.exe 3708 spoolsv.exe 4720 spoolsv.exe 4808 spoolsv.exe 868 spoolsv.exe 1416 spoolsv.exe 3020 spoolsv.exe 2956 spoolsv.exe 1804 spoolsv.exe 4624 explorer.exe 316 spoolsv.exe 3204 spoolsv.exe 1264 spoolsv.exe 4232 spoolsv.exe 3052 spoolsv.exe 1060 spoolsv.exe 1028 spoolsv.exe 672 spoolsv.exe 2028 spoolsv.exe 4340 explorer.exe 3192 spoolsv.exe 1744 spoolsv.exe 3540 spoolsv.exe 1828 explorer.exe 3492 spoolsv.exe 4804 spoolsv.exe 432 explorer.exe 1728 spoolsv.exe 3764 spoolsv.exe 2112 spoolsv.exe 4484 spoolsv.exe 5060 spoolsv.exe 4588 explorer.exe 3456 spoolsv.exe 3984 spoolsv.exe 2616 spoolsv.exe 224 spoolsv.exe 1032 spoolsv.exe 3704 explorer.exe 3212 spoolsv.exe 2624 spoolsv.exe 2968 spoolsv.exe 932 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exedescription pid process target process PID 1196 set thread context of 5068 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 3344 set thread context of 5084 3344 explorer.exe explorer.exe PID 760 set thread context of 1804 760 spoolsv.exe spoolsv.exe PID 4504 set thread context of 3204 4504 spoolsv.exe spoolsv.exe PID 4132 set thread context of 1264 4132 spoolsv.exe spoolsv.exe PID 5032 set thread context of 4232 5032 spoolsv.exe spoolsv.exe PID 2752 set thread context of 3052 2752 spoolsv.exe spoolsv.exe PID 1892 set thread context of 1060 1892 spoolsv.exe spoolsv.exe PID 4948 set thread context of 1028 4948 spoolsv.exe spoolsv.exe PID 2180 set thread context of 2028 2180 spoolsv.exe spoolsv.exe PID 3436 set thread context of 3192 3436 spoolsv.exe spoolsv.exe PID 1396 set thread context of 3540 1396 spoolsv.exe spoolsv.exe PID 4636 set thread context of 4804 4636 spoolsv.exe spoolsv.exe PID 4852 set thread context of 1728 4852 spoolsv.exe spoolsv.exe PID 4972 set thread context of 3764 4972 spoolsv.exe spoolsv.exe PID 3868 set thread context of 5060 3868 spoolsv.exe spoolsv.exe PID 4916 set thread context of 3456 4916 spoolsv.exe spoolsv.exe PID 2440 set thread context of 3984 2440 spoolsv.exe spoolsv.exe PID 3632 set thread context of 224 3632 spoolsv.exe spoolsv.exe PID 3920 set thread context of 1032 3920 spoolsv.exe spoolsv.exe PID 3672 set thread context of 3212 3672 spoolsv.exe spoolsv.exe PID 2344 set thread context of 2624 2344 spoolsv.exe spoolsv.exe PID 3708 set thread context of 2968 3708 spoolsv.exe spoolsv.exe PID 4720 set thread context of 3732 4720 spoolsv.exe spoolsv.exe PID 4808 set thread context of 4016 4808 spoolsv.exe spoolsv.exe PID 868 set thread context of 2992 868 spoolsv.exe spoolsv.exe PID 1416 set thread context of 2304 1416 spoolsv.exe spoolsv.exe PID 3020 set thread context of 548 3020 spoolsv.exe spoolsv.exe PID 2956 set thread context of 4148 2956 spoolsv.exe spoolsv.exe PID 316 set thread context of 4156 316 spoolsv.exe spoolsv.exe PID 4624 set thread context of 332 4624 explorer.exe explorer.exe PID 672 set thread context of 1160 672 spoolsv.exe spoolsv.exe PID 4340 set thread context of 2996 4340 explorer.exe explorer.exe PID 1744 set thread context of 1624 1744 spoolsv.exe spoolsv.exe PID 1828 set thread context of 1808 1828 explorer.exe explorer.exe PID 3492 set thread context of 1716 3492 spoolsv.exe spoolsv.exe PID 432 set thread context of 1016 432 explorer.exe explorer.exe PID 2112 set thread context of 960 2112 spoolsv.exe spoolsv.exe PID 4484 set thread context of 2524 4484 spoolsv.exe spoolsv.exe PID 4588 set thread context of 4220 4588 explorer.exe explorer.exe PID 2616 set thread context of 4412 2616 spoolsv.exe spoolsv.exe PID 3704 set thread context of 740 3704 explorer.exe explorer.exe PID 932 set thread context of 3108 932 spoolsv.exe spoolsv.exe PID 2488 set thread context of 3464 2488 explorer.exe explorer.exe PID 1544 set thread context of 2476 1544 spoolsv.exe spoolsv.exe PID 1628 set thread context of 3572 1628 explorer.exe explorer.exe PID 1384 set thread context of 5004 1384 spoolsv.exe spoolsv.exe PID 4820 set thread context of 4788 4820 spoolsv.exe spoolsv.exe PID 844 set thread context of 3936 844 explorer.exe explorer.exe PID 2284 set thread context of 5108 2284 spoolsv.exe spoolsv.exe PID 1548 set thread context of 2040 1548 spoolsv.exe spoolsv.exe PID 2164 set thread context of 848 2164 spoolsv.exe spoolsv.exe PID 3880 set thread context of 4008 3880 explorer.exe explorer.exe PID 1340 set thread context of 2244 1340 spoolsv.exe spoolsv.exe PID 4308 set thread context of 3476 4308 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exea8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exepid process 5068 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 5068 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 5084 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exepid process 5068 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 5068 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 5084 explorer.exe 1804 spoolsv.exe 1804 spoolsv.exe 3204 spoolsv.exe 3204 spoolsv.exe 1264 spoolsv.exe 1264 spoolsv.exe 4232 spoolsv.exe 4232 spoolsv.exe 3052 spoolsv.exe 3052 spoolsv.exe 1060 spoolsv.exe 1060 spoolsv.exe 1028 spoolsv.exe 1028 spoolsv.exe 2028 spoolsv.exe 2028 spoolsv.exe 3192 spoolsv.exe 3192 spoolsv.exe 3540 spoolsv.exe 3540 spoolsv.exe 4804 spoolsv.exe 4804 spoolsv.exe 1728 spoolsv.exe 1728 spoolsv.exe 3764 spoolsv.exe 3764 spoolsv.exe 5060 spoolsv.exe 5060 spoolsv.exe 3456 spoolsv.exe 3456 spoolsv.exe 3984 spoolsv.exe 3984 spoolsv.exe 224 spoolsv.exe 224 spoolsv.exe 1032 spoolsv.exe 1032 spoolsv.exe 3212 spoolsv.exe 3212 spoolsv.exe 2624 spoolsv.exe 2624 spoolsv.exe 2968 spoolsv.exe 2968 spoolsv.exe 3732 spoolsv.exe 3732 spoolsv.exe 4016 spoolsv.exe 4016 spoolsv.exe 2992 spoolsv.exe 2992 spoolsv.exe 2304 spoolsv.exe 2304 spoolsv.exe 548 spoolsv.exe 548 spoolsv.exe 4148 spoolsv.exe 4148 spoolsv.exe 4156 spoolsv.exe 4156 spoolsv.exe 332 explorer.exe 332 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exea8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1196 wrote to memory of 4976 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe splwow64.exe PID 1196 wrote to memory of 4976 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe splwow64.exe PID 1196 wrote to memory of 5068 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1196 wrote to memory of 5068 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1196 wrote to memory of 5068 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1196 wrote to memory of 5068 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1196 wrote to memory of 5068 1196 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 5068 wrote to memory of 3344 5068 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe explorer.exe PID 5068 wrote to memory of 3344 5068 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe explorer.exe PID 5068 wrote to memory of 3344 5068 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe explorer.exe PID 3344 wrote to memory of 5084 3344 explorer.exe explorer.exe PID 3344 wrote to memory of 5084 3344 explorer.exe explorer.exe PID 3344 wrote to memory of 5084 3344 explorer.exe explorer.exe PID 3344 wrote to memory of 5084 3344 explorer.exe explorer.exe PID 3344 wrote to memory of 5084 3344 explorer.exe explorer.exe PID 5084 wrote to memory of 760 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 760 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 760 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4504 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4504 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4504 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4132 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4132 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4132 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 5032 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 5032 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 5032 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2752 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2752 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2752 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 1892 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 1892 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 1892 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4948 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4948 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4948 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2180 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2180 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2180 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 3436 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 3436 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 3436 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 1396 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 1396 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 1396 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4636 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4636 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4636 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4852 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4852 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4852 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4972 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4972 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4972 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 3868 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 3868 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 3868 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4916 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4916 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 4916 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2440 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2440 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 2440 5084 explorer.exe spoolsv.exe PID 5084 wrote to memory of 3632 5084 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD542b043867bf8baaace4e75395b14452e
SHA1b11fdffc7fa171ce5c6178c50d186b02f179313f
SHA2565e76f53f901c1ba1c3e96b44e164ead19aaba0e25231e8b790cab89c2efc6b33
SHA51250770bc4fa4249f689b69f54cf93bc931459cec82088fc3140f3e16d8db9985f81fa77ab5a10f6a978d776402bfb9061c47504a4f50555aa5e4a045644333d96
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD5089a9e125312ee931626d0366502db21
SHA1c48334922f5745f57dec0f1d2c11a56ef6ff4bb7
SHA256f11c1eb06914f0520144922a75a10de756c186611fc2f4c217284e8285e58d00
SHA512251266c18c075a5199e0ac5ade5ba0634fff0a06dd33bcf9a9abec316536db0d59297d95ff2092a3a5e73d0c9ec055ae8d0b8fc91134feb115a220317ba26096
-
memory/224-2588-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/332-3489-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/740-4247-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/760-1796-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/760-895-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/848-4928-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/848-5083-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/960-3821-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/960-3824-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1016-3814-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1028-1883-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1032-2848-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1032-2675-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1060-1874-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1160-3509-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1196-53-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1196-48-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1196-0-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1196-46-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1264-1842-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/1264-1846-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1396-1309-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1624-3666-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1624-3784-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1716-3804-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1728-2282-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1804-1980-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1804-1795-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1808-3681-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1892-965-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2028-1995-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2028-2096-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2040-4846-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2040-4743-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2180-1137-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2304-2885-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2344-1833-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2440-1766-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2524-4117-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2624-2694-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2752-964-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2968-2702-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2992-2875-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2996-3521-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3052-1864-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3108-4467-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3192-2012-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3204-1834-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3344-89-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3344-95-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3436-1138-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3456-2477-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3464-4478-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3464-4474-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3476-4955-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3540-2248-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3540-2125-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3572-4498-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3632-1767-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3672-1769-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3708-1845-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3732-2777-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3764-2304-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3764-2301-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3868-1626-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3920-1768-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3936-4611-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3984-2484-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3984-2487-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4008-4936-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4016-2867-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4016-3016-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4132-897-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4132-1848-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4148-3241-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4148-3339-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4156-3481-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4232-1856-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4232-1853-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4412-4236-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4504-896-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4504-1836-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4636-1310-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4804-2386-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4804-2272-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4852-1430-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4916-1765-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4948-966-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4972-1431-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5032-1857-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5032-898-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5060-2467-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5060-2657-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5068-83-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5068-49-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5068-51-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5084-94-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5084-894-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5108-4621-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB