Analysis
-
max time kernel
146s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:52
Behavioral task
behavioral1
Sample
a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8d30948ead7b16c235f9e8eb6848241
-
SHA1
9afba754a8f4e041a74a8abbd98a7aa2f0484237
-
SHA256
0ad04d3ff44f188fe417201848835923380b0a205d08c24638999c05d86cd9f8
-
SHA512
f51937d65bec063702c2b056e80be6bdb76ec2b0d07223edab2bc45cbee03e48957e2ea081374a6935b00a6b2842ad088242dc9d8e74b525511e76d9b598a6cd
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZh:0UzeyQMS4DqodCnoe+iitjWwwV
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1600 explorer.exe 436 explorer.exe 3860 spoolsv.exe 2580 spoolsv.exe 660 spoolsv.exe 2120 spoolsv.exe 372 spoolsv.exe 4144 spoolsv.exe 5028 spoolsv.exe 3252 spoolsv.exe 3248 spoolsv.exe 4552 spoolsv.exe 4508 spoolsv.exe 3896 spoolsv.exe 4196 spoolsv.exe 2084 spoolsv.exe 2172 spoolsv.exe 1572 spoolsv.exe 2492 spoolsv.exe 1380 spoolsv.exe 3992 spoolsv.exe 2320 spoolsv.exe 3932 spoolsv.exe 4548 spoolsv.exe 1728 spoolsv.exe 1556 spoolsv.exe 4712 spoolsv.exe 3456 spoolsv.exe 1960 spoolsv.exe 3104 spoolsv.exe 2240 spoolsv.exe 1640 spoolsv.exe 4644 spoolsv.exe 3768 explorer.exe 2884 spoolsv.exe 1232 spoolsv.exe 3652 spoolsv.exe 632 spoolsv.exe 2572 spoolsv.exe 3884 explorer.exe 2184 spoolsv.exe 5108 spoolsv.exe 3732 spoolsv.exe 1416 spoolsv.exe 944 spoolsv.exe 4012 explorer.exe 1460 spoolsv.exe 508 spoolsv.exe 3944 spoolsv.exe 5016 spoolsv.exe 1508 spoolsv.exe 3080 spoolsv.exe 3088 explorer.exe 1800 spoolsv.exe 4932 spoolsv.exe 2592 spoolsv.exe 2256 spoolsv.exe 2864 spoolsv.exe 2964 explorer.exe 540 spoolsv.exe 4168 spoolsv.exe 908 spoolsv.exe 4100 spoolsv.exe 2924 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 52 IoCs
Processes:
a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exedescription pid process target process PID 4220 set thread context of 3112 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe PID 1600 set thread context of 436 1600 explorer.exe explorer.exe PID 3860 set thread context of 4644 3860 spoolsv.exe spoolsv.exe PID 2580 set thread context of 2884 2580 spoolsv.exe spoolsv.exe PID 660 set thread context of 1232 660 spoolsv.exe spoolsv.exe PID 2120 set thread context of 632 2120 spoolsv.exe spoolsv.exe PID 372 set thread context of 2572 372 spoolsv.exe spoolsv.exe PID 4144 set thread context of 2184 4144 spoolsv.exe spoolsv.exe PID 5028 set thread context of 5108 5028 spoolsv.exe spoolsv.exe PID 3252 set thread context of 3732 3252 spoolsv.exe spoolsv.exe PID 3248 set thread context of 944 3248 spoolsv.exe spoolsv.exe PID 4552 set thread context of 1460 4552 spoolsv.exe spoolsv.exe PID 4508 set thread context of 508 4508 spoolsv.exe spoolsv.exe PID 3896 set thread context of 5016 3896 spoolsv.exe spoolsv.exe PID 4196 set thread context of 1508 4196 spoolsv.exe spoolsv.exe PID 2084 set thread context of 3080 2084 spoolsv.exe spoolsv.exe PID 2172 set thread context of 1800 2172 spoolsv.exe spoolsv.exe PID 1572 set thread context of 4932 1572 spoolsv.exe spoolsv.exe PID 2492 set thread context of 2592 2492 spoolsv.exe spoolsv.exe PID 1380 set thread context of 2864 1380 spoolsv.exe spoolsv.exe PID 3992 set thread context of 540 3992 spoolsv.exe spoolsv.exe PID 2320 set thread context of 4168 2320 spoolsv.exe spoolsv.exe PID 3932 set thread context of 908 3932 spoolsv.exe spoolsv.exe PID 4548 set thread context of 2924 4548 spoolsv.exe spoolsv.exe PID 1728 set thread context of 3040 1728 spoolsv.exe spoolsv.exe PID 1556 set thread context of 64 1556 spoolsv.exe spoolsv.exe PID 4712 set thread context of 1004 4712 spoolsv.exe spoolsv.exe PID 3456 set thread context of 1848 3456 spoolsv.exe spoolsv.exe PID 1960 set thread context of 3352 1960 spoolsv.exe spoolsv.exe PID 3104 set thread context of 948 3104 spoolsv.exe spoolsv.exe PID 2240 set thread context of 3416 2240 spoolsv.exe spoolsv.exe PID 1640 set thread context of 2668 1640 spoolsv.exe spoolsv.exe PID 3768 set thread context of 4340 3768 explorer.exe explorer.exe PID 3652 set thread context of 4928 3652 spoolsv.exe spoolsv.exe PID 3884 set thread context of 5068 3884 explorer.exe explorer.exe PID 1416 set thread context of 1244 1416 spoolsv.exe spoolsv.exe PID 4012 set thread context of 4716 4012 explorer.exe explorer.exe PID 3944 set thread context of 4112 3944 spoolsv.exe spoolsv.exe PID 3088 set thread context of 2436 3088 explorer.exe explorer.exe PID 2256 set thread context of 2888 2256 spoolsv.exe spoolsv.exe PID 2964 set thread context of 4376 2964 explorer.exe explorer.exe PID 4100 set thread context of 1240 4100 spoolsv.exe spoolsv.exe PID 2740 set thread context of 3500 2740 explorer.exe explorer.exe PID 1036 set thread context of 1792 1036 spoolsv.exe spoolsv.exe PID 3176 set thread context of 1224 3176 explorer.exe explorer.exe PID 2756 set thread context of 832 2756 spoolsv.exe spoolsv.exe PID 3208 set thread context of 4628 3208 spoolsv.exe spoolsv.exe PID 4968 set thread context of 752 4968 spoolsv.exe spoolsv.exe PID 4220 set thread context of 1008 4220 explorer.exe explorer.exe PID 1568 set thread context of 3216 1568 spoolsv.exe spoolsv.exe PID 4948 set thread context of 4576 4948 spoolsv.exe spoolsv.exe PID 4416 set thread context of 3256 4416 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exea8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exeexplorer.exepid process 3112 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe 3112 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 436 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3112 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe 3112 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 4644 spoolsv.exe 4644 spoolsv.exe 2884 spoolsv.exe 2884 spoolsv.exe 1232 spoolsv.exe 1232 spoolsv.exe 632 spoolsv.exe 632 spoolsv.exe 2572 spoolsv.exe 2572 spoolsv.exe 2184 spoolsv.exe 2184 spoolsv.exe 5108 spoolsv.exe 5108 spoolsv.exe 3732 spoolsv.exe 3732 spoolsv.exe 944 spoolsv.exe 944 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 508 spoolsv.exe 508 spoolsv.exe 5016 spoolsv.exe 5016 spoolsv.exe 1508 spoolsv.exe 1508 spoolsv.exe 3080 spoolsv.exe 3080 spoolsv.exe 1800 spoolsv.exe 1800 spoolsv.exe 4932 spoolsv.exe 4932 spoolsv.exe 2592 spoolsv.exe 2592 spoolsv.exe 2864 spoolsv.exe 2864 spoolsv.exe 540 spoolsv.exe 540 spoolsv.exe 4168 spoolsv.exe 4168 spoolsv.exe 908 spoolsv.exe 908 spoolsv.exe 2924 spoolsv.exe 2924 spoolsv.exe 3040 spoolsv.exe 3040 spoolsv.exe 64 spoolsv.exe 64 spoolsv.exe 1004 spoolsv.exe 1004 spoolsv.exe 1848 spoolsv.exe 1848 spoolsv.exe 3352 spoolsv.exe 3352 spoolsv.exe 948 spoolsv.exe 948 spoolsv.exe 3416 spoolsv.exe 3416 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exea8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 4220 wrote to memory of 2996 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe splwow64.exe PID 4220 wrote to memory of 2996 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe splwow64.exe PID 4220 wrote to memory of 3112 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe PID 4220 wrote to memory of 3112 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe PID 4220 wrote to memory of 3112 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe PID 4220 wrote to memory of 3112 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe PID 4220 wrote to memory of 3112 4220 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe PID 3112 wrote to memory of 1600 3112 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe explorer.exe PID 3112 wrote to memory of 1600 3112 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe explorer.exe PID 3112 wrote to memory of 1600 3112 a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe explorer.exe PID 1600 wrote to memory of 436 1600 explorer.exe explorer.exe PID 1600 wrote to memory of 436 1600 explorer.exe explorer.exe PID 1600 wrote to memory of 436 1600 explorer.exe explorer.exe PID 1600 wrote to memory of 436 1600 explorer.exe explorer.exe PID 1600 wrote to memory of 436 1600 explorer.exe explorer.exe PID 436 wrote to memory of 3860 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3860 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3860 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2580 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2580 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2580 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 660 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 660 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 660 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2120 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2120 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2120 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 372 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 372 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 372 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4144 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4144 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4144 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 5028 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 5028 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 5028 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3252 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3252 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3252 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3248 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3248 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3248 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4552 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4552 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4552 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4508 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4508 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4508 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3896 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3896 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 3896 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4196 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4196 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 4196 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2084 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2084 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2084 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2172 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2172 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2172 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 1572 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 1572 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 1572 436 explorer.exe spoolsv.exe PID 436 wrote to memory of 2492 436 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d30948ead7b16c235f9e8eb6848241_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD52f6348dd012a5590d876c3037105c7f9
SHA17b9a5316ecf980cbbd4e422feb91fbcada96ec44
SHA2561f5b3f1138e36cc15970b0423e176646f2ff5d123c70fd1cc168490ea5c912e6
SHA512b4ec11e11a015095934e54587058339795c5660e604591b144cc58693ecfba1bdfaf63062ec4c90fc7ab93fd2330b40db02aebbd110b429f51bf2aeb0f7357b7
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD548d113ea987555a06e9a01824b4fed7a
SHA194d9516c99acbec9a408f6cea5aac03f53a003f8
SHA2564bdfebfdb93a70cd8154f3ca5793aefab7c2199dcce291c825c06d8c864760a6
SHA512084719658c7e617949722aba4220f7cdd9e305155241121e8a5641fbaf8b75d7a2a939222340be4a589d9e3a56233124821d1603e7c4b5cebb7ed3910b5a92d4
-
memory/64-2849-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/64-2853-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/372-1185-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/436-840-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/436-85-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/508-2350-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/508-2347-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/540-2694-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/632-2048-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/660-1028-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/660-1953-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/752-4884-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/832-4735-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/908-2717-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/944-2501-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/944-2328-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/948-3017-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/948-3022-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1008-5001-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1224-4640-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1232-1957-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1240-4451-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1240-4568-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1244-3858-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1244-3740-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1380-1932-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1460-2338-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1508-2444-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1508-2448-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1572-1793-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1600-81-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1600-86-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1632-5246-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1792-4631-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1800-2534-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1848-3180-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1848-3001-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2084-1654-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2120-1029-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2172-1655-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2184-2156-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2320-1944-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2436-4087-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2492-1794-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2572-2284-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2572-2146-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2580-1939-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2580-1027-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2592-2554-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2864-2818-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2864-2686-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2884-1946-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2888-4296-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2888-4415-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2924-2769-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3028-5430-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3040-2974-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3040-2842-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3080-2525-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3080-2654-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3112-70-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3112-68-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/3112-31-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3112-32-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3216-5146-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3248-1314-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3252-1313-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3256-5248-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3352-3012-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3416-3112-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3416-3109-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3500-4481-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3732-2177-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3860-841-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3860-1935-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3896-1489-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3932-1956-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3992-1933-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4112-4034-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4144-1186-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4168-2705-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4196-1653-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4220-28-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/4220-33-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4220-26-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4220-0-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/4340-3386-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4340-3383-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4376-4375-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4376-4378-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4508-1488-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4548-2046-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4552-1487-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4576-5201-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4628-4921-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4644-1934-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4644-2128-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4648-5419-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4716-3879-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4928-3509-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4932-2544-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5016-2438-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5028-1187-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5068-3518-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5108-2166-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB