Analysis
-
max time kernel
146s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:27
Behavioral task
behavioral1
Sample
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8bbb3bf544a9f0f4e1626e3f68b9c61
-
SHA1
4e84bf0ccfc1b6738210c4be358ec007dedfeb75
-
SHA256
0f0ac0941ceeabcba46930b7528def0a7ef13c5eafbbf5870939ea9435b8b5bb
-
SHA512
c0f1c16bcb6273f92c4877d6e9c6db9ec3fd522b816ada957c732d2f18cdbf242dbc794cdbc60de016d1d5f83207ae54196408f224976a070b5632bb9d8330b0
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZi:0UzeyQMS4DqodCnoe+iitjWww2
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exepid process 4736 explorer.exe 1872 explorer.exe 3248 spoolsv.exe 3088 spoolsv.exe 5020 spoolsv.exe 4020 spoolsv.exe 1324 spoolsv.exe 2120 spoolsv.exe 1812 spoolsv.exe 4892 spoolsv.exe 2592 spoolsv.exe 2568 spoolsv.exe 3720 spoolsv.exe 1984 spoolsv.exe 5096 spoolsv.exe 1072 spoolsv.exe 904 spoolsv.exe 1332 spoolsv.exe 2488 spoolsv.exe 220 spoolsv.exe 1908 spoolsv.exe 1764 spoolsv.exe 4480 spoolsv.exe 60 spoolsv.exe 3708 spoolsv.exe 3816 spoolsv.exe 3432 spoolsv.exe 4776 spoolsv.exe 396 spoolsv.exe 716 spoolsv.exe 4912 spoolsv.exe 4972 spoolsv.exe 380 spoolsv.exe 4492 explorer.exe 3620 spoolsv.exe 232 spoolsv.exe 3536 spoolsv.exe 4404 spoolsv.exe 2428 spoolsv.exe 3084 spoolsv.exe 4464 spoolsv.exe 368 spoolsv.exe 528 spoolsv.exe 4408 explorer.exe 4308 spoolsv.exe 4388 spoolsv.exe 1352 spoolsv.exe 3116 spoolsv.exe 2236 spoolsv.exe 3140 spoolsv.exe 4984 explorer.exe 448 spoolsv.exe 3608 spoolsv.exe 948 spoolsv.exe 3940 spoolsv.exe 3036 spoolsv.exe 4260 spoolsv.exe 4964 explorer.exe 3724 spoolsv.exe 4444 spoolsv.exe 1628 spoolsv.exe 4356 spoolsv.exe 2532 spoolsv.exe 2916 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 54 IoCs
Processes:
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exedescription pid process target process PID 220 set thread context of 4652 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe PID 4736 set thread context of 1872 4736 explorer.exe explorer.exe PID 3248 set thread context of 380 3248 spoolsv.exe spoolsv.exe PID 3088 set thread context of 3620 3088 spoolsv.exe spoolsv.exe PID 5020 set thread context of 3536 5020 spoolsv.exe spoolsv.exe PID 4020 set thread context of 4404 4020 spoolsv.exe spoolsv.exe PID 1324 set thread context of 2428 1324 spoolsv.exe spoolsv.exe PID 2120 set thread context of 3084 2120 spoolsv.exe spoolsv.exe PID 1812 set thread context of 4464 1812 spoolsv.exe spoolsv.exe PID 4892 set thread context of 368 4892 spoolsv.exe spoolsv.exe PID 2592 set thread context of 4308 2592 spoolsv.exe spoolsv.exe PID 2568 set thread context of 4388 2568 spoolsv.exe spoolsv.exe PID 3720 set thread context of 1352 3720 spoolsv.exe spoolsv.exe PID 1984 set thread context of 3116 1984 spoolsv.exe spoolsv.exe PID 5096 set thread context of 3140 5096 spoolsv.exe spoolsv.exe PID 1072 set thread context of 448 1072 spoolsv.exe spoolsv.exe PID 904 set thread context of 3608 904 spoolsv.exe spoolsv.exe PID 1332 set thread context of 948 1332 spoolsv.exe spoolsv.exe PID 2488 set thread context of 3036 2488 spoolsv.exe spoolsv.exe PID 220 set thread context of 4260 220 spoolsv.exe spoolsv.exe PID 1908 set thread context of 3724 1908 spoolsv.exe spoolsv.exe PID 1764 set thread context of 4444 1764 spoolsv.exe spoolsv.exe PID 4480 set thread context of 4356 4480 spoolsv.exe spoolsv.exe PID 60 set thread context of 2532 60 spoolsv.exe spoolsv.exe PID 3708 set thread context of 1792 3708 spoolsv.exe spoolsv.exe PID 3816 set thread context of 4752 3816 spoolsv.exe spoolsv.exe PID 3432 set thread context of 3236 3432 spoolsv.exe spoolsv.exe PID 4776 set thread context of 1184 4776 spoolsv.exe spoolsv.exe PID 396 set thread context of 348 396 spoolsv.exe spoolsv.exe PID 716 set thread context of 2780 716 spoolsv.exe spoolsv.exe PID 4912 set thread context of 3148 4912 spoolsv.exe spoolsv.exe PID 4972 set thread context of 1196 4972 spoolsv.exe spoolsv.exe PID 4492 set thread context of 3336 4492 explorer.exe explorer.exe PID 232 set thread context of 2504 232 spoolsv.exe spoolsv.exe PID 528 set thread context of 4228 528 spoolsv.exe spoolsv.exe PID 4408 set thread context of 1204 4408 explorer.exe explorer.exe PID 2236 set thread context of 440 2236 spoolsv.exe spoolsv.exe PID 4984 set thread context of 4796 4984 explorer.exe explorer.exe PID 3940 set thread context of 4548 3940 spoolsv.exe spoolsv.exe PID 4964 set thread context of 2784 4964 explorer.exe explorer.exe PID 1628 set thread context of 1064 1628 spoolsv.exe spoolsv.exe PID 2916 set thread context of 3112 2916 explorer.exe explorer.exe PID 2340 set thread context of 4612 2340 spoolsv.exe spoolsv.exe PID 412 set thread context of 5024 412 explorer.exe explorer.exe PID 1060 set thread context of 1040 1060 spoolsv.exe spoolsv.exe PID 2904 set thread context of 1504 2904 explorer.exe explorer.exe PID 1052 set thread context of 5064 1052 spoolsv.exe spoolsv.exe PID 3196 set thread context of 2668 3196 spoolsv.exe spoolsv.exe PID 4348 set thread context of 3260 4348 explorer.exe explorer.exe PID 1888 set thread context of 3952 1888 spoolsv.exe spoolsv.exe PID 4416 set thread context of 4672 4416 spoolsv.exe spoolsv.exe PID 1708 set thread context of 4956 1708 spoolsv.exe spoolsv.exe PID 1492 set thread context of 3104 1492 explorer.exe explorer.exe PID 5000 set thread context of 876 5000 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exea8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exeexplorer.exepid process 4652 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe 4652 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1872 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4652 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe 4652 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 1872 explorer.exe 380 spoolsv.exe 380 spoolsv.exe 3620 spoolsv.exe 3620 spoolsv.exe 3536 spoolsv.exe 3536 spoolsv.exe 4404 spoolsv.exe 4404 spoolsv.exe 2428 spoolsv.exe 2428 spoolsv.exe 3084 spoolsv.exe 3084 spoolsv.exe 4464 spoolsv.exe 4464 spoolsv.exe 368 spoolsv.exe 368 spoolsv.exe 4308 spoolsv.exe 4308 spoolsv.exe 4388 spoolsv.exe 4388 spoolsv.exe 1352 spoolsv.exe 1352 spoolsv.exe 3116 spoolsv.exe 3116 spoolsv.exe 3140 spoolsv.exe 3140 spoolsv.exe 448 spoolsv.exe 448 spoolsv.exe 3608 spoolsv.exe 3608 spoolsv.exe 948 spoolsv.exe 948 spoolsv.exe 3036 spoolsv.exe 3036 spoolsv.exe 4260 spoolsv.exe 4260 spoolsv.exe 3724 spoolsv.exe 3724 spoolsv.exe 4444 spoolsv.exe 4444 spoolsv.exe 4356 spoolsv.exe 4356 spoolsv.exe 2532 spoolsv.exe 2532 spoolsv.exe 1792 spoolsv.exe 1792 spoolsv.exe 4752 spoolsv.exe 4752 spoolsv.exe 3236 spoolsv.exe 3236 spoolsv.exe 1184 spoolsv.exe 1184 spoolsv.exe 348 spoolsv.exe 348 spoolsv.exe 2780 spoolsv.exe 2780 spoolsv.exe 3148 spoolsv.exe 3148 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exea8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 220 wrote to memory of 3208 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe splwow64.exe PID 220 wrote to memory of 3208 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe splwow64.exe PID 220 wrote to memory of 4652 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe PID 220 wrote to memory of 4652 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe PID 220 wrote to memory of 4652 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe PID 220 wrote to memory of 4652 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe PID 220 wrote to memory of 4652 220 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe PID 4652 wrote to memory of 4736 4652 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe explorer.exe PID 4652 wrote to memory of 4736 4652 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe explorer.exe PID 4652 wrote to memory of 4736 4652 a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe explorer.exe PID 4736 wrote to memory of 1872 4736 explorer.exe explorer.exe PID 4736 wrote to memory of 1872 4736 explorer.exe explorer.exe PID 4736 wrote to memory of 1872 4736 explorer.exe explorer.exe PID 4736 wrote to memory of 1872 4736 explorer.exe explorer.exe PID 4736 wrote to memory of 1872 4736 explorer.exe explorer.exe PID 1872 wrote to memory of 3248 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3248 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3248 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3088 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3088 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3088 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 5020 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 5020 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 5020 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 4020 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 4020 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 4020 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1324 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1324 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1324 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2120 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2120 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2120 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1812 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1812 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1812 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 4892 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 4892 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 4892 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2592 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2592 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2592 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2568 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2568 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2568 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3720 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3720 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 3720 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1984 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1984 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1984 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 5096 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 5096 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 5096 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1072 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1072 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1072 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 904 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 904 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 904 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1332 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1332 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 1332 1872 explorer.exe spoolsv.exe PID 1872 wrote to memory of 2488 1872 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8bbb3bf544a9f0f4e1626e3f68b9c61_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD570d9c0cd800c2e4bd1d070798e8c8810
SHA1ce136d0a02ae72db0ba6f2223b1a93a2fe5fa5a9
SHA2567d70878a48037723d76abc758b00abc518deec2a2be578b5adbb00d5b5423b20
SHA512c0e9b5d77f8a8a310414c81a5dbb08b82af200d6a758abbe27177aea425c0d8c6b79b41526a3379128699412767dc07cf439eeb421c1b28f1be5385381cb8c52
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD525b4ad6ffc9abfd72efedd83205d702d
SHA1f1fe0d1b46b2a331fa5e00b97e607bd5071ae23f
SHA256b69fe2ed3fb214c17a1a932b7d534ff0295ad8fd09f8a91af2dbdb61a679b0ab
SHA512703935cd9ee28eec268d3bbac28b894372ce6644ffa08c66cb3b46c79f75fe7914bf218a84dd435d83d8464050efa16e5fcaea2d37b0f0d55eb0b37ffe675fc9
-
memory/60-2105-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/220-0-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/220-23-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/220-1930-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/220-27-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/220-21-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/348-3117-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/368-2490-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/368-2276-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/380-2001-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/380-2202-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/440-4187-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/440-4110-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/448-2514-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/448-2518-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/876-5261-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/876-5263-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/904-1709-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/948-2536-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1040-4852-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1064-4668-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1064-4546-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1072-1708-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1184-3105-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1184-3108-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1196-3444-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1196-3563-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1204-3846-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1324-1188-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1332-1710-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1352-2315-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1504-4873-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1764-2000-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1792-2920-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1812-1206-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1872-884-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1872-74-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1908-1999-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1984-1568-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2120-1198-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2488-1929-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2496-5512-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2504-3759-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2532-2911-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2532-3055-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2568-1394-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2592-1393-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2668-4881-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2780-3124-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2784-4365-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3036-2609-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3088-1036-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3088-2006-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3104-5182-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3112-4555-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3116-2326-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3140-2693-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3140-2508-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3148-3340-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3148-3217-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3236-3194-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3236-3099-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3248-885-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3248-1995-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3260-4893-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3336-3655-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3536-2106-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3620-2011-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3708-2113-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3720-1567-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3724-2720-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3740-5521-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3952-4903-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4020-1038-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4228-3836-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4260-2711-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4260-2889-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4308-2294-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4356-2829-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4388-2305-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4404-2115-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4404-2119-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4464-2147-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4480-2010-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4548-4284-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4548-4408-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4612-4747-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4612-4941-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4652-64-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4652-62-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/4652-26-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4652-24-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4664-5488-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4672-5137-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4672-5015-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4736-75-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4736-70-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4752-2931-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4796-4119-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4892-1392-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4956-5173-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4956-5325-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5020-1037-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5020-2107-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5024-4758-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5096-1569-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB