Analysis
-
max time kernel
148s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:48
Behavioral task
behavioral1
Sample
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8ce89f645360a94d3f5047921950625
-
SHA1
6d7b7f1edfc7bf341b3c7830ad4cabf89170c76c
-
SHA256
f10db93e25e680bc4e8a81a3ca8588b1b21ae42f9375ec037d7d832de0f38658
-
SHA512
0b64e340845617b2437ccb6be975665b9089fcadb474b22de1edfbd46522e9a5b32a9a6acb8185f12061a9a08d31d058a407806af8da83074ffd89c1274c14cd
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZH:0UzeyQMS4DqodCnoe+iitjWwwL
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1648 explorer.exe 2732 explorer.exe 2116 spoolsv.exe 4528 spoolsv.exe 4372 spoolsv.exe 3220 spoolsv.exe 1284 spoolsv.exe 1844 spoolsv.exe 5048 spoolsv.exe 4924 spoolsv.exe 2152 spoolsv.exe 4628 spoolsv.exe 3760 spoolsv.exe 3172 spoolsv.exe 4988 spoolsv.exe 980 spoolsv.exe 3264 spoolsv.exe 3960 spoolsv.exe 4708 spoolsv.exe 4832 spoolsv.exe 3140 spoolsv.exe 516 spoolsv.exe 812 spoolsv.exe 1216 spoolsv.exe 3572 spoolsv.exe 2236 spoolsv.exe 2268 spoolsv.exe 3008 spoolsv.exe 4908 spoolsv.exe 3224 spoolsv.exe 4348 spoolsv.exe 868 spoolsv.exe 1716 spoolsv.exe 4480 spoolsv.exe 4272 spoolsv.exe 2552 spoolsv.exe 4592 spoolsv.exe 3292 explorer.exe 1516 spoolsv.exe 3044 spoolsv.exe 4568 spoolsv.exe 4572 spoolsv.exe 4548 spoolsv.exe 1532 spoolsv.exe 4916 spoolsv.exe 4912 spoolsv.exe 916 spoolsv.exe 4876 spoolsv.exe 4864 spoolsv.exe 4756 spoolsv.exe 640 spoolsv.exe 4836 spoolsv.exe 3748 spoolsv.exe 1824 spoolsv.exe 4472 spoolsv.exe 2592 explorer.exe 2676 spoolsv.exe 4800 spoolsv.exe 4632 spoolsv.exe 5068 spoolsv.exe 4312 spoolsv.exe 3844 spoolsv.exe 2788 spoolsv.exe 3692 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 54 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 5112 set thread context of 1272 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 1648 set thread context of 2732 1648 explorer.exe explorer.exe PID 2116 set thread context of 4592 2116 spoolsv.exe spoolsv.exe PID 4528 set thread context of 1516 4528 spoolsv.exe spoolsv.exe PID 4372 set thread context of 3044 4372 spoolsv.exe spoolsv.exe PID 3220 set thread context of 4568 3220 spoolsv.exe spoolsv.exe PID 1284 set thread context of 4572 1284 spoolsv.exe spoolsv.exe PID 1844 set thread context of 4548 1844 spoolsv.exe spoolsv.exe PID 5048 set thread context of 1532 5048 spoolsv.exe spoolsv.exe PID 4924 set thread context of 4916 4924 spoolsv.exe spoolsv.exe PID 2152 set thread context of 4912 2152 spoolsv.exe spoolsv.exe PID 4628 set thread context of 916 4628 spoolsv.exe spoolsv.exe PID 3760 set thread context of 4876 3760 spoolsv.exe spoolsv.exe PID 3172 set thread context of 4864 3172 spoolsv.exe spoolsv.exe PID 4988 set thread context of 640 4988 spoolsv.exe spoolsv.exe PID 980 set thread context of 4836 980 spoolsv.exe spoolsv.exe PID 3264 set thread context of 3748 3264 spoolsv.exe spoolsv.exe PID 3960 set thread context of 1824 3960 spoolsv.exe spoolsv.exe PID 4708 set thread context of 4472 4708 spoolsv.exe spoolsv.exe PID 4832 set thread context of 2676 4832 spoolsv.exe spoolsv.exe PID 3140 set thread context of 4800 3140 spoolsv.exe spoolsv.exe PID 516 set thread context of 4632 516 spoolsv.exe spoolsv.exe PID 812 set thread context of 5068 812 spoolsv.exe spoolsv.exe PID 1216 set thread context of 4312 1216 spoolsv.exe spoolsv.exe PID 3572 set thread context of 3844 3572 spoolsv.exe spoolsv.exe PID 2236 set thread context of 2788 2236 spoolsv.exe spoolsv.exe PID 2268 set thread context of 3692 2268 spoolsv.exe spoolsv.exe PID 3008 set thread context of 5012 3008 spoolsv.exe spoolsv.exe PID 4908 set thread context of 4788 4908 spoolsv.exe spoolsv.exe PID 3224 set thread context of 2044 3224 spoolsv.exe spoolsv.exe PID 4348 set thread context of 1608 4348 spoolsv.exe spoolsv.exe PID 868 set thread context of 1600 868 spoolsv.exe spoolsv.exe PID 1716 set thread context of 2148 1716 spoolsv.exe spoolsv.exe PID 4480 set thread context of 1796 4480 spoolsv.exe spoolsv.exe PID 4272 set thread context of 4464 4272 spoolsv.exe spoolsv.exe PID 2552 set thread context of 3728 2552 spoolsv.exe spoolsv.exe PID 3292 set thread context of 1952 3292 explorer.exe explorer.exe PID 4756 set thread context of 4560 4756 spoolsv.exe spoolsv.exe PID 2592 set thread context of 468 2592 explorer.exe explorer.exe PID 4564 set thread context of 1076 4564 spoolsv.exe spoolsv.exe PID 4328 set thread context of 1728 4328 explorer.exe explorer.exe PID 3776 set thread context of 3156 3776 spoolsv.exe spoolsv.exe PID 4604 set thread context of 3160 4604 explorer.exe explorer.exe PID 768 set thread context of 4188 768 spoolsv.exe spoolsv.exe PID 1236 set thread context of 732 1236 explorer.exe explorer.exe PID 3624 set thread context of 2816 3624 spoolsv.exe spoolsv.exe PID 4728 set thread context of 4312 4728 spoolsv.exe spoolsv.exe PID 4716 set thread context of 5004 4716 spoolsv.exe spoolsv.exe PID 3544 set thread context of 3328 3544 spoolsv.exe spoolsv.exe PID 972 set thread context of 4552 972 spoolsv.exe spoolsv.exe PID 1984 set thread context of 648 1984 spoolsv.exe spoolsv.exe PID 3752 set thread context of 1988 3752 spoolsv.exe spoolsv.exe PID 3912 set thread context of 5008 3912 spoolsv.exe spoolsv.exe PID 3848 set thread context of 4608 3848 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exea8ce89f645360a94d3f5047921950625_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8ce89f645360a94d3f5047921950625_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exepid process 1272 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 1272 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2732 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1272 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 1272 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 2732 explorer.exe 4592 spoolsv.exe 4592 spoolsv.exe 1516 spoolsv.exe 1516 spoolsv.exe 3044 spoolsv.exe 3044 spoolsv.exe 4568 spoolsv.exe 4568 spoolsv.exe 4572 spoolsv.exe 4572 spoolsv.exe 4548 spoolsv.exe 4548 spoolsv.exe 1532 spoolsv.exe 1532 spoolsv.exe 4916 spoolsv.exe 4916 spoolsv.exe 4912 spoolsv.exe 4912 spoolsv.exe 916 spoolsv.exe 4876 spoolsv.exe 916 spoolsv.exe 4876 spoolsv.exe 4864 spoolsv.exe 4864 spoolsv.exe 640 spoolsv.exe 640 spoolsv.exe 4836 spoolsv.exe 4836 spoolsv.exe 3748 spoolsv.exe 3748 spoolsv.exe 1824 spoolsv.exe 1824 spoolsv.exe 4472 spoolsv.exe 4472 spoolsv.exe 2676 spoolsv.exe 2676 spoolsv.exe 4800 spoolsv.exe 4800 spoolsv.exe 4632 spoolsv.exe 4632 spoolsv.exe 5068 spoolsv.exe 5068 spoolsv.exe 4312 spoolsv.exe 4312 spoolsv.exe 3844 spoolsv.exe 3844 spoolsv.exe 2788 spoolsv.exe 2788 spoolsv.exe 3692 spoolsv.exe 3692 spoolsv.exe 5012 spoolsv.exe 5012 spoolsv.exe 4788 spoolsv.exe 4788 spoolsv.exe 2044 spoolsv.exe 2044 spoolsv.exe 1608 spoolsv.exe 1608 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8ce89f645360a94d3f5047921950625_JaffaCakes118.exea8ce89f645360a94d3f5047921950625_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 5112 wrote to memory of 1316 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe splwow64.exe PID 5112 wrote to memory of 1316 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe splwow64.exe PID 5112 wrote to memory of 1272 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 5112 wrote to memory of 1272 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 5112 wrote to memory of 1272 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 5112 wrote to memory of 1272 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 5112 wrote to memory of 1272 5112 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe PID 1272 wrote to memory of 1648 1272 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe explorer.exe PID 1272 wrote to memory of 1648 1272 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe explorer.exe PID 1272 wrote to memory of 1648 1272 a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe explorer.exe PID 1648 wrote to memory of 2732 1648 explorer.exe explorer.exe PID 1648 wrote to memory of 2732 1648 explorer.exe explorer.exe PID 1648 wrote to memory of 2732 1648 explorer.exe explorer.exe PID 1648 wrote to memory of 2732 1648 explorer.exe explorer.exe PID 1648 wrote to memory of 2732 1648 explorer.exe explorer.exe PID 2732 wrote to memory of 2116 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 2116 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 2116 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4528 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4528 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4528 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4372 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4372 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4372 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3220 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3220 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3220 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 1284 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 1284 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 1284 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 1844 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 1844 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 1844 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 5048 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 5048 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 5048 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4924 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4924 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4924 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 2152 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 2152 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 2152 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4628 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4628 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4628 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3760 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3760 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3760 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3172 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3172 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3172 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4988 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4988 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4988 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 980 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 980 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 980 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3264 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3264 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3264 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3960 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3960 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 3960 2732 explorer.exe spoolsv.exe PID 2732 wrote to memory of 4708 2732 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8ce89f645360a94d3f5047921950625_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD5872e96b4d72b419ae69a77ebbfe4ec51
SHA17b5e777090329a6e6316b740a30a4675c3f897bf
SHA256af7590a06193e379107484684962e603a29816f5129e96ac345dae5ee8fe300b
SHA51236fceddd0e044cd26e19c25359e2a777d4b06538336f9bc1ca3873824d4109856b0a24996bc63cf2e7dc0addf7a3e429cbd2c08be4b7f0091e0fed57931241a3
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD51a92c1f3cab416a8ec906bd249bdd350
SHA1a13428748df2c8d462f5b642ae0d38e57ea8392d
SHA2563538aa85af799c614ee4de94bf1eaae4362b4347ab861bb16b12797e789daa86
SHA5128d73b80916f63833c17edab2123ff3442ebb74a47598207d7b876426b6d1d24a781ee13dbd3f85bcb12da420bef64b7ca1f8666b78509d3f0fcd44ec99a57701
-
memory/468-3763-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/516-2053-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/640-2344-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/648-4799-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/732-4105-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/812-2054-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/916-2316-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/916-2333-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/980-1548-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1076-4031-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1076-3932-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1216-2207-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1272-87-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/1272-94-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1272-49-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1272-51-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1284-1359-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1516-2222-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1532-2289-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1600-2943-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1600-2834-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1608-2719-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1648-105-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1648-100-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1728-3949-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1824-2379-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1844-1360-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1952-3740-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1952-3743-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1988-4756-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1988-4752-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2116-2201-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2116-1235-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2148-2844-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2152-1363-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2236-2209-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2268-2210-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2676-2398-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2732-104-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2732-1234-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2788-2512-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2816-4115-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2816-4112-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3008-2211-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3044-2240-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3140-1875-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3156-4276-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3156-4073-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3160-4084-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3172-1546-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3220-1238-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3232-4988-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3264-1549-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3328-4379-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3572-2208-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3692-2592-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3728-3846-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3728-3732-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3748-2365-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3748-2367-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3760-1365-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3844-2443-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3960-1700-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4188-4092-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4312-2437-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4312-4218-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4372-1237-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4464-2955-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4464-3062-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4472-2388-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4528-1236-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4548-2276-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4552-4727-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4552-4593-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4560-3749-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4560-3754-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4572-2264-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4592-2212-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4608-4865-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4608-4861-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4628-1364-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4632-2417-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4632-2415-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4708-1735-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4788-2701-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4800-2406-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4832-1874-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4836-2357-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4836-2352-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4864-2329-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4864-2336-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4876-2323-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4912-2308-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4912-2305-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4916-2297-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4924-1362-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4988-1547-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5004-4434-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5004-4300-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5008-4853-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5012-2694-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5048-1361-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5112-0-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/5112-52-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5112-48-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/5112-46-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB