Analysis
-
max time kernel
136s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:07
Behavioral task
behavioral1
Sample
a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8a9987bdefaa2e6f3146a39eafb53f7
-
SHA1
8f2164b64033054f70686708eb62b421378c120f
-
SHA256
39a85f119f12f771147b5e6202087c78a1dd8eac295942d13f2e10bfd32afb72
-
SHA512
1ebe50dcd7b4d6c5300ea73b7b19bade5121ca0317ea6b251eb60550eacc04cb6398391d05637b7d2ccc8988c29cf35636e0815a5c54bc652a5f436bb266da6d
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZi:0UzeyQMS4DqodCnoe+iitjWwwG
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1212 explorer.exe 4736 explorer.exe 4540 spoolsv.exe 3240 spoolsv.exe 1304 spoolsv.exe 2676 spoolsv.exe 3488 spoolsv.exe 4216 spoolsv.exe 3340 spoolsv.exe 4668 spoolsv.exe 8 spoolsv.exe 5116 spoolsv.exe 1680 spoolsv.exe 348 spoolsv.exe 2836 spoolsv.exe 3700 spoolsv.exe 1740 spoolsv.exe 1324 spoolsv.exe 3228 spoolsv.exe 2124 spoolsv.exe 4732 spoolsv.exe 1748 spoolsv.exe 3912 spoolsv.exe 4952 spoolsv.exe 3352 spoolsv.exe 5100 spoolsv.exe 3752 spoolsv.exe 744 spoolsv.exe 5012 spoolsv.exe 4420 spoolsv.exe 4864 spoolsv.exe 4516 spoolsv.exe 1216 spoolsv.exe 3960 explorer.exe 2588 spoolsv.exe 2420 spoolsv.exe 2764 spoolsv.exe 3692 spoolsv.exe 4460 spoolsv.exe 648 spoolsv.exe 764 spoolsv.exe 1972 explorer.exe 2500 spoolsv.exe 752 spoolsv.exe 3504 spoolsv.exe 2180 spoolsv.exe 1880 spoolsv.exe 2536 explorer.exe 3596 spoolsv.exe 3068 spoolsv.exe 4720 spoolsv.exe 1288 spoolsv.exe 5084 spoolsv.exe 2016 explorer.exe 4124 spoolsv.exe 3552 spoolsv.exe 3024 spoolsv.exe 372 spoolsv.exe 2104 explorer.exe 2540 spoolsv.exe 2556 spoolsv.exe 2428 spoolsv.exe 3264 spoolsv.exe 5024 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 43 IoCs
Processes:
a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 5052 set thread context of 4524 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe PID 1212 set thread context of 4736 1212 explorer.exe explorer.exe PID 4540 set thread context of 1216 4540 spoolsv.exe spoolsv.exe PID 3240 set thread context of 2588 3240 spoolsv.exe spoolsv.exe PID 1304 set thread context of 2420 1304 spoolsv.exe spoolsv.exe PID 2676 set thread context of 2764 2676 spoolsv.exe spoolsv.exe PID 3488 set thread context of 4460 3488 spoolsv.exe spoolsv.exe PID 4216 set thread context of 648 4216 spoolsv.exe spoolsv.exe PID 3340 set thread context of 764 3340 spoolsv.exe spoolsv.exe PID 4668 set thread context of 2500 4668 spoolsv.exe spoolsv.exe PID 8 set thread context of 752 8 spoolsv.exe spoolsv.exe PID 5116 set thread context of 2180 5116 spoolsv.exe spoolsv.exe PID 1680 set thread context of 1880 1680 spoolsv.exe spoolsv.exe PID 348 set thread context of 3596 348 spoolsv.exe spoolsv.exe PID 2836 set thread context of 3068 2836 spoolsv.exe spoolsv.exe PID 3700 set thread context of 4720 3700 spoolsv.exe spoolsv.exe PID 1740 set thread context of 5084 1740 spoolsv.exe spoolsv.exe PID 1324 set thread context of 4124 1324 spoolsv.exe spoolsv.exe PID 3228 set thread context of 3552 3228 spoolsv.exe spoolsv.exe PID 2124 set thread context of 3024 2124 spoolsv.exe spoolsv.exe PID 4732 set thread context of 372 4732 spoolsv.exe spoolsv.exe PID 1748 set thread context of 2556 1748 spoolsv.exe spoolsv.exe PID 3912 set thread context of 2428 3912 spoolsv.exe spoolsv.exe PID 4952 set thread context of 3264 4952 spoolsv.exe spoolsv.exe PID 3352 set thread context of 5024 3352 spoolsv.exe spoolsv.exe PID 5100 set thread context of 3640 5100 spoolsv.exe spoolsv.exe PID 3752 set thread context of 4500 3752 spoolsv.exe spoolsv.exe PID 744 set thread context of 2456 744 spoolsv.exe spoolsv.exe PID 5012 set thread context of 4044 5012 spoolsv.exe spoolsv.exe PID 4420 set thread context of 3760 4420 spoolsv.exe spoolsv.exe PID 4864 set thread context of 2128 4864 spoolsv.exe spoolsv.exe PID 4516 set thread context of 5000 4516 spoolsv.exe spoolsv.exe PID 3960 set thread context of 2696 3960 explorer.exe explorer.exe PID 3692 set thread context of 1944 3692 spoolsv.exe spoolsv.exe PID 1972 set thread context of 4468 1972 explorer.exe explorer.exe PID 3504 set thread context of 5016 3504 spoolsv.exe spoolsv.exe PID 2536 set thread context of 548 2536 explorer.exe explorer.exe PID 2016 set thread context of 3656 2016 explorer.exe explorer.exe PID 1288 set thread context of 5096 1288 spoolsv.exe spoolsv.exe PID 2104 set thread context of 1736 2104 explorer.exe explorer.exe PID 2540 set thread context of 1768 2540 spoolsv.exe spoolsv.exe PID 4780 set thread context of 5112 4780 explorer.exe explorer.exe PID 3320 set thread context of 3584 3320 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exeexplorer.exepid process 4524 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe 4524 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4736 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4524 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe 4524 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 4736 explorer.exe 1216 spoolsv.exe 1216 spoolsv.exe 2588 spoolsv.exe 2588 spoolsv.exe 2420 spoolsv.exe 2420 spoolsv.exe 2764 spoolsv.exe 2764 spoolsv.exe 4460 spoolsv.exe 4460 spoolsv.exe 648 spoolsv.exe 648 spoolsv.exe 764 spoolsv.exe 764 spoolsv.exe 2500 spoolsv.exe 2500 spoolsv.exe 752 spoolsv.exe 752 spoolsv.exe 2180 spoolsv.exe 2180 spoolsv.exe 1880 spoolsv.exe 1880 spoolsv.exe 3596 spoolsv.exe 3596 spoolsv.exe 3068 spoolsv.exe 3068 spoolsv.exe 4720 spoolsv.exe 4720 spoolsv.exe 5084 spoolsv.exe 5084 spoolsv.exe 4124 spoolsv.exe 4124 spoolsv.exe 3552 spoolsv.exe 3552 spoolsv.exe 3024 spoolsv.exe 3024 spoolsv.exe 372 spoolsv.exe 372 spoolsv.exe 2556 spoolsv.exe 2556 spoolsv.exe 2428 spoolsv.exe 2428 spoolsv.exe 3264 spoolsv.exe 3264 spoolsv.exe 5024 spoolsv.exe 5024 spoolsv.exe 3640 spoolsv.exe 3640 spoolsv.exe 4500 spoolsv.exe 4500 spoolsv.exe 2456 spoolsv.exe 2456 spoolsv.exe 4044 spoolsv.exe 4044 spoolsv.exe 3760 spoolsv.exe 3760 spoolsv.exe 2128 spoolsv.exe 2128 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exea8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 5052 wrote to memory of 1800 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe splwow64.exe PID 5052 wrote to memory of 1800 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe splwow64.exe PID 5052 wrote to memory of 4524 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe PID 5052 wrote to memory of 4524 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe PID 5052 wrote to memory of 4524 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe PID 5052 wrote to memory of 4524 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe PID 5052 wrote to memory of 4524 5052 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe PID 4524 wrote to memory of 1212 4524 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe explorer.exe PID 4524 wrote to memory of 1212 4524 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe explorer.exe PID 4524 wrote to memory of 1212 4524 a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe explorer.exe PID 1212 wrote to memory of 4736 1212 explorer.exe explorer.exe PID 1212 wrote to memory of 4736 1212 explorer.exe explorer.exe PID 1212 wrote to memory of 4736 1212 explorer.exe explorer.exe PID 1212 wrote to memory of 4736 1212 explorer.exe explorer.exe PID 1212 wrote to memory of 4736 1212 explorer.exe explorer.exe PID 4736 wrote to memory of 4540 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4540 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4540 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3240 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3240 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3240 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1304 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1304 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1304 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 2676 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 2676 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 2676 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3488 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3488 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3488 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4216 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4216 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4216 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3340 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3340 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3340 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4668 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4668 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 4668 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 8 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 8 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 8 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 5116 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 5116 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 5116 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1680 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1680 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1680 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 348 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 348 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 348 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 2836 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 2836 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 2836 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3700 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3700 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3700 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1740 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1740 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1740 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1324 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1324 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 1324 4736 explorer.exe spoolsv.exe PID 4736 wrote to memory of 3228 4736 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a9987bdefaa2e6f3146a39eafb53f7_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD5f0506652be77a88ed49b1c9eb4ebadc1
SHA1cc6ace24fd982f3f193229677498664ec4e2c06e
SHA25686254efea3c6624808c28e6b1fbfe5008f95530c5c931b4f9529000f2831ebe7
SHA5122dafa34a1aa82da20ac8373c986c152f8b04029da18bf1d18cd42aa90f54068eb6a1943a491b38185c8b694ad8abdc80df965bf2010d9f8af401fb5205753c8b
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD53f7fedcb5cbf27c76bf4a8daf82881e9
SHA1a604324bd0158857088cb80c5e3f378b4517e3c0
SHA25693340424cbc353afb7b6088ecfa973ec47e99b2cb2c09bdc6518050b266a9984
SHA5122f8651e49ee6e30970f08471479a8964aeeb0fd6b9273fd6104709d7e3401a87db64f88b5ad65157dcfbd55c46e1f03c3c89dbda6dd414e05109f5bbb74bbf47
-
memory/8-1283-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/348-1483-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/372-2613-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/372-2767-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/548-4113-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/648-2064-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/752-2168-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/764-2149-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/764-2309-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1212-70-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1212-65-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1216-2130-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1216-1930-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1256-4940-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1304-1953-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1304-977-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1324-1797-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1516-4931-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1516-5042-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1680-1482-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1736-4416-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1740-1668-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1748-1929-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1768-4440-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1768-4554-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1880-2321-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1880-2465-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1944-3508-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1944-3626-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2124-1927-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2128-3057-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2180-2266-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2420-1951-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2428-2700-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2428-2704-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2456-2892-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2500-2160-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2500-2157-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2504-5123-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2556-2695-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2556-2691-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2588-1941-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2676-1956-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2676-1143-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2696-3382-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2712-4994-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2764-1985-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2836-1666-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3024-2540-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3068-2340-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3228-1798-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3240-976-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3240-1943-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3264-2711-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3264-2715-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3340-1281-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3488-1144-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3552-2528-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3552-2532-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3584-4599-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3584-4728-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3596-2331-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3640-2874-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3656-4215-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3700-1667-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3760-3047-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3868-4878-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3912-1940-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4124-2520-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4216-1145-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4460-2054-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4468-3701-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4524-59-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4524-29-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4524-31-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4524-57-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/4540-1931-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4540-800-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4612-4764-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4668-1282-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4720-2350-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4732-1928-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4736-69-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4736-799-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4952-1950-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5000-3365-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5000-3256-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5016-4151-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5016-4103-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5024-2785-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5024-2961-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5052-28-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/5052-0-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/5052-32-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5052-26-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5064-4754-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5064-4907-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5084-2590-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5096-4223-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5096-4330-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5112-4577-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5116-1481-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB