Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:46
Behavioral task
behavioral1
Sample
a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8cce9c59c7d9c9787a6927a03068b19
-
SHA1
8fb3cf882639cd94b0fe0821e122698a63fc4f94
-
SHA256
86c20fd27d005ddea61824f7e571a1e2c0c054fccec3d22945344963f0ea869e
-
SHA512
0bf8aea30f5ea1800284c4e47a6fb37ca2c6f6c9b0027b7ad6a26ff207b8c1e2842e7178e236c6f31b1bdc85369333e63ad605d3161b46f042ad6d683e9c91b8
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ8:0UzeyQMS4DqodCnoe+iitjWwwg
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exepid process 1532 explorer.exe 4548 explorer.exe 1356 spoolsv.exe 3300 spoolsv.exe 4900 spoolsv.exe 2188 spoolsv.exe 4716 spoolsv.exe 1692 spoolsv.exe 1796 spoolsv.exe 4748 spoolsv.exe 2840 spoolsv.exe 1112 spoolsv.exe 3812 spoolsv.exe 3372 spoolsv.exe 1624 spoolsv.exe 2180 spoolsv.exe 4440 spoolsv.exe 4772 spoolsv.exe 2712 spoolsv.exe 1452 spoolsv.exe 1384 spoolsv.exe 752 spoolsv.exe 3792 spoolsv.exe 1472 spoolsv.exe 2316 spoolsv.exe 4844 spoolsv.exe 3492 spoolsv.exe 1908 spoolsv.exe 1760 spoolsv.exe 3068 spoolsv.exe 772 spoolsv.exe 1184 spoolsv.exe 4424 explorer.exe 2492 spoolsv.exe 4000 spoolsv.exe 4684 spoolsv.exe 2348 spoolsv.exe 3168 explorer.exe 4404 spoolsv.exe 3512 spoolsv.exe 3672 spoolsv.exe 4540 spoolsv.exe 3928 spoolsv.exe 4092 explorer.exe 1460 spoolsv.exe 2884 spoolsv.exe 3596 spoolsv.exe 452 spoolsv.exe 3152 spoolsv.exe 3868 spoolsv.exe 1916 explorer.exe 944 spoolsv.exe 1144 spoolsv.exe 4040 spoolsv.exe 1672 spoolsv.exe 4728 explorer.exe 552 spoolsv.exe 4384 spoolsv.exe 4128 spoolsv.exe 3592 spoolsv.exe 1212 spoolsv.exe 4132 explorer.exe 2176 spoolsv.exe 4964 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 48 IoCs
Processes:
a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 1340 set thread context of 2736 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe PID 1532 set thread context of 4548 1532 explorer.exe explorer.exe PID 1356 set thread context of 1184 1356 spoolsv.exe spoolsv.exe PID 3300 set thread context of 4000 3300 spoolsv.exe spoolsv.exe PID 4900 set thread context of 4684 4900 spoolsv.exe spoolsv.exe PID 2188 set thread context of 2348 2188 spoolsv.exe spoolsv.exe PID 4716 set thread context of 4404 4716 spoolsv.exe spoolsv.exe PID 1692 set thread context of 3512 1692 spoolsv.exe spoolsv.exe PID 1796 set thread context of 4540 1796 spoolsv.exe spoolsv.exe PID 4748 set thread context of 3928 4748 spoolsv.exe spoolsv.exe PID 2840 set thread context of 1460 2840 spoolsv.exe spoolsv.exe PID 1112 set thread context of 2884 1112 spoolsv.exe spoolsv.exe PID 3812 set thread context of 3596 3812 spoolsv.exe spoolsv.exe PID 3372 set thread context of 3152 3372 spoolsv.exe spoolsv.exe PID 1624 set thread context of 3868 1624 spoolsv.exe spoolsv.exe PID 2180 set thread context of 944 2180 spoolsv.exe spoolsv.exe PID 4440 set thread context of 1144 4440 spoolsv.exe spoolsv.exe PID 4772 set thread context of 1672 4772 spoolsv.exe spoolsv.exe PID 2712 set thread context of 552 2712 spoolsv.exe spoolsv.exe PID 1452 set thread context of 4384 1452 spoolsv.exe spoolsv.exe PID 1384 set thread context of 3592 1384 spoolsv.exe spoolsv.exe PID 752 set thread context of 1212 752 spoolsv.exe spoolsv.exe PID 3792 set thread context of 2176 3792 spoolsv.exe spoolsv.exe PID 1472 set thread context of 4964 1472 spoolsv.exe spoolsv.exe PID 2316 set thread context of 5108 2316 spoolsv.exe spoolsv.exe PID 4844 set thread context of 3036 4844 spoolsv.exe spoolsv.exe PID 3492 set thread context of 1956 3492 spoolsv.exe spoolsv.exe PID 1908 set thread context of 2416 1908 spoolsv.exe spoolsv.exe PID 1760 set thread context of 1164 1760 spoolsv.exe spoolsv.exe PID 3068 set thread context of 2140 3068 spoolsv.exe spoolsv.exe PID 772 set thread context of 4564 772 spoolsv.exe spoolsv.exe PID 4424 set thread context of 1604 4424 explorer.exe explorer.exe PID 2492 set thread context of 776 2492 spoolsv.exe spoolsv.exe PID 3168 set thread context of 1028 3168 explorer.exe explorer.exe PID 3672 set thread context of 212 3672 spoolsv.exe spoolsv.exe PID 4092 set thread context of 3708 4092 explorer.exe explorer.exe PID 452 set thread context of 2152 452 spoolsv.exe spoolsv.exe PID 1916 set thread context of 4944 1916 explorer.exe explorer.exe PID 4040 set thread context of 2900 4040 spoolsv.exe spoolsv.exe PID 4728 set thread context of 3524 4728 explorer.exe explorer.exe PID 4128 set thread context of 1632 4128 spoolsv.exe spoolsv.exe PID 4132 set thread context of 3652 4132 explorer.exe explorer.exe PID 2432 set thread context of 2236 2432 spoolsv.exe spoolsv.exe PID 2220 set thread context of 1768 2220 explorer.exe explorer.exe PID 2000 set thread context of 1600 2000 spoolsv.exe spoolsv.exe PID 3028 set thread context of 5016 3028 explorer.exe explorer.exe PID 4840 set thread context of 4912 4840 spoolsv.exe spoolsv.exe PID 4996 set thread context of 3648 4996 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exea8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exeexplorer.exepid process 2736 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe 2736 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4548 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2736 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe 2736 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 1184 spoolsv.exe 1184 spoolsv.exe 4000 spoolsv.exe 4000 spoolsv.exe 4684 spoolsv.exe 4684 spoolsv.exe 2348 spoolsv.exe 2348 spoolsv.exe 4404 spoolsv.exe 4404 spoolsv.exe 3512 spoolsv.exe 3512 spoolsv.exe 4540 spoolsv.exe 4540 spoolsv.exe 3928 spoolsv.exe 3928 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 2884 spoolsv.exe 2884 spoolsv.exe 3596 spoolsv.exe 3596 spoolsv.exe 3152 spoolsv.exe 3152 spoolsv.exe 3868 spoolsv.exe 3868 spoolsv.exe 944 spoolsv.exe 944 spoolsv.exe 1144 spoolsv.exe 1144 spoolsv.exe 1672 spoolsv.exe 1672 spoolsv.exe 552 spoolsv.exe 552 spoolsv.exe 4384 spoolsv.exe 4384 spoolsv.exe 3592 spoolsv.exe 3592 spoolsv.exe 1212 spoolsv.exe 1212 spoolsv.exe 2176 spoolsv.exe 2176 spoolsv.exe 4964 spoolsv.exe 4964 spoolsv.exe 5108 spoolsv.exe 5108 spoolsv.exe 3036 spoolsv.exe 3036 spoolsv.exe 1956 spoolsv.exe 1956 spoolsv.exe 2416 spoolsv.exe 2416 spoolsv.exe 1164 spoolsv.exe 1164 spoolsv.exe 2140 spoolsv.exe 2140 spoolsv.exe 4564 spoolsv.exe 4564 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exea8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1340 wrote to memory of 4600 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe splwow64.exe PID 1340 wrote to memory of 4600 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe splwow64.exe PID 1340 wrote to memory of 2736 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe PID 1340 wrote to memory of 2736 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe PID 1340 wrote to memory of 2736 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe PID 1340 wrote to memory of 2736 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe PID 1340 wrote to memory of 2736 1340 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe PID 2736 wrote to memory of 1532 2736 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe explorer.exe PID 2736 wrote to memory of 1532 2736 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe explorer.exe PID 2736 wrote to memory of 1532 2736 a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe explorer.exe PID 1532 wrote to memory of 4548 1532 explorer.exe explorer.exe PID 1532 wrote to memory of 4548 1532 explorer.exe explorer.exe PID 1532 wrote to memory of 4548 1532 explorer.exe explorer.exe PID 1532 wrote to memory of 4548 1532 explorer.exe explorer.exe PID 1532 wrote to memory of 4548 1532 explorer.exe explorer.exe PID 4548 wrote to memory of 1356 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1356 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1356 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3300 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3300 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3300 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4900 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4900 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4900 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2188 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2188 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2188 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4716 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4716 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4716 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1692 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1692 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1692 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1796 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1796 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1796 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4748 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4748 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4748 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2840 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2840 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2840 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1112 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1112 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1112 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3812 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3812 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3812 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3372 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3372 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 3372 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1624 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1624 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 1624 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2180 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2180 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2180 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4440 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4440 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4440 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4772 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4772 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 4772 4548 explorer.exe spoolsv.exe PID 4548 wrote to memory of 2712 4548 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8cce9c59c7d9c9787a6927a03068b19_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD5d2f35a8ba5821a1973e98ab5c3880492
SHA111b58003419e92702a605232471d47bf022571b0
SHA256ddd17e19f75385d2d7472a954af8398d1fcab8c9c18e20b7a6d5b533d77af9ca
SHA5120180b53941ccc5685f9b1f9bfc8877187f655347b4adc8f2d1c690f4a49279e715da22a24401bbf7dc8791a4eeee6cacb3c0f2af45128b68c51e0e4548dfcfa1
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD58ed5edd77dcb91a78c6f2eb0c89da89a
SHA1b9676e4fcbc97a3c6357d8e3c1f00810b0cb1b00
SHA256f77294f1318fa7486fb34af9f99c8e46138e51ff29fbb127a226ae0cd000d5cb
SHA5121f5cd388886fda41b34a60bcf0e3a96e6147b959f5f6f67b6d0433de871be9e432af7155015c393ac4de0841f6072bbf73b0cf7acf50ed8acc65d4778f0c10c1
-
memory/212-3727-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/552-2585-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/752-1997-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/776-3501-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/776-3581-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1028-3509-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1028-3513-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1112-1486-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1132-5503-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1132-5405-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1144-2473-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1164-2980-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1184-1928-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1184-2059-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1212-2905-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1212-2776-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1340-36-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1340-38-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/1340-42-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1340-0-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/1356-1929-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1356-793-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1384-1927-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1452-1926-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1460-2298-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1460-2303-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1472-2091-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1532-90-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1532-85-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1604-3376-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1624-1631-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1632-4343-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1632-4483-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1672-2724-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1672-2575-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1692-1135-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1768-4566-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1768-4569-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1796-1326-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1956-2960-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2140-3280-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2140-3131-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2152-4018-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2176-2784-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2180-1815-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2188-2093-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2188-1133-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2236-4557-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2236-4701-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2348-2267-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2348-2092-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2416-2970-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2712-1925-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2736-77-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/2736-79-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2736-41-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2736-39-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2840-1485-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2884-2309-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2884-2314-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2900-4165-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2904-5321-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2904-5318-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3036-2947-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3152-2396-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3300-2000-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3300-976-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3372-1630-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3512-2126-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3524-4174-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3592-2685-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3596-2325-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3596-2322-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3648-4890-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3648-4974-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3652-4355-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3708-3740-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3792-2009-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3812-1487-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3868-2552-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3868-2454-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3928-2436-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4000-2002-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4000-1998-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4384-2593-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4404-2100-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4440-1816-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4528-5239-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4540-2207-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4548-89-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4548-792-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4564-3232-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4564-3229-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4684-2010-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4716-1134-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4748-1327-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4772-1817-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4900-2011-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4900-977-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4912-4745-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4944-4027-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4960-5069-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4960-5211-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4964-2793-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5016-4649-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5040-5231-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5040-5379-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB