Analysis
-
max time kernel
145s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 09:01
Behavioral task
behavioral1
Sample
a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8db3192669748b9fcfbf7730d985445
-
SHA1
2349240f13af0296bfb757df9ee06f65eafe7488
-
SHA256
e27a5d48cf874d8a04a3332280d2c438ffc02a06b88222b555990232ba94dddc
-
SHA512
1e3c60d925a5a160cbe2bcd634af82a555a76ccad1c0f0637aaeb05aeabd69e7fdb6bf909dd50c2ca3d629d6677b4856421a46a421314a7aa1e2526a769c81ae
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZS:0UzeyQMS4DqodCnoe+iitjWwwe
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exepid process 740 explorer.exe 636 explorer.exe 4484 spoolsv.exe 4024 spoolsv.exe 2764 spoolsv.exe 1300 spoolsv.exe 2948 spoolsv.exe 2176 spoolsv.exe 4124 spoolsv.exe 5004 spoolsv.exe 5100 spoolsv.exe 4432 spoolsv.exe 3500 spoolsv.exe 5032 spoolsv.exe 3640 spoolsv.exe 4440 spoolsv.exe 1780 spoolsv.exe 1680 spoolsv.exe 4856 spoolsv.exe 4600 spoolsv.exe 396 spoolsv.exe 4020 spoolsv.exe 692 spoolsv.exe 2228 spoolsv.exe 5044 spoolsv.exe 404 spoolsv.exe 2724 spoolsv.exe 1364 spoolsv.exe 4084 spoolsv.exe 1556 spoolsv.exe 2420 spoolsv.exe 228 spoolsv.exe 2404 spoolsv.exe 4640 spoolsv.exe 4912 spoolsv.exe 4076 spoolsv.exe 740 spoolsv.exe 4784 explorer.exe 4512 spoolsv.exe 1344 spoolsv.exe 4740 spoolsv.exe 2172 spoolsv.exe 3980 spoolsv.exe 3080 spoolsv.exe 4460 explorer.exe 1580 spoolsv.exe 3248 spoolsv.exe 1224 spoolsv.exe 2912 spoolsv.exe 2132 spoolsv.exe 4712 spoolsv.exe 1604 spoolsv.exe 2492 explorer.exe 1472 spoolsv.exe 4648 spoolsv.exe 2016 spoolsv.exe 4144 spoolsv.exe 3740 spoolsv.exe 1488 spoolsv.exe 1168 spoolsv.exe 2264 spoolsv.exe 4576 spoolsv.exe 232 explorer.exe 3892 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 56 IoCs
Processes:
a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 3412 set thread context of 1816 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe PID 740 set thread context of 636 740 explorer.exe explorer.exe PID 4484 set thread context of 740 4484 spoolsv.exe spoolsv.exe PID 4024 set thread context of 4512 4024 spoolsv.exe spoolsv.exe PID 2764 set thread context of 1344 2764 spoolsv.exe spoolsv.exe PID 1300 set thread context of 2172 1300 spoolsv.exe spoolsv.exe PID 2948 set thread context of 3980 2948 spoolsv.exe spoolsv.exe PID 2176 set thread context of 3080 2176 spoolsv.exe spoolsv.exe PID 4124 set thread context of 1580 4124 spoolsv.exe spoolsv.exe PID 5004 set thread context of 3248 5004 spoolsv.exe spoolsv.exe PID 5100 set thread context of 1224 5100 spoolsv.exe spoolsv.exe PID 4432 set thread context of 2912 4432 spoolsv.exe spoolsv.exe PID 3500 set thread context of 2132 3500 spoolsv.exe spoolsv.exe PID 5032 set thread context of 1604 5032 spoolsv.exe spoolsv.exe PID 3640 set thread context of 1472 3640 spoolsv.exe spoolsv.exe PID 4440 set thread context of 4648 4440 spoolsv.exe spoolsv.exe PID 1780 set thread context of 2016 1780 spoolsv.exe spoolsv.exe PID 1680 set thread context of 4144 1680 spoolsv.exe spoolsv.exe PID 4856 set thread context of 3740 4856 spoolsv.exe spoolsv.exe PID 4600 set thread context of 1168 4600 spoolsv.exe spoolsv.exe PID 396 set thread context of 2264 396 spoolsv.exe spoolsv.exe PID 4020 set thread context of 4576 4020 spoolsv.exe spoolsv.exe PID 692 set thread context of 3892 692 spoolsv.exe spoolsv.exe PID 2228 set thread context of 3600 2228 spoolsv.exe spoolsv.exe PID 5044 set thread context of 5092 5044 spoolsv.exe spoolsv.exe PID 404 set thread context of 1480 404 spoolsv.exe spoolsv.exe PID 2724 set thread context of 4244 2724 spoolsv.exe spoolsv.exe PID 1364 set thread context of 1876 1364 spoolsv.exe spoolsv.exe PID 4084 set thread context of 2320 4084 spoolsv.exe spoolsv.exe PID 1556 set thread context of 4580 1556 spoolsv.exe spoolsv.exe PID 2420 set thread context of 3788 2420 spoolsv.exe spoolsv.exe PID 228 set thread context of 3928 228 spoolsv.exe spoolsv.exe PID 2404 set thread context of 4436 2404 spoolsv.exe spoolsv.exe PID 4640 set thread context of 3968 4640 spoolsv.exe spoolsv.exe PID 4912 set thread context of 2084 4912 spoolsv.exe spoolsv.exe PID 4076 set thread context of 2532 4076 spoolsv.exe spoolsv.exe PID 4784 set thread context of 1476 4784 explorer.exe explorer.exe PID 4740 set thread context of 1916 4740 spoolsv.exe spoolsv.exe PID 4460 set thread context of 4472 4460 explorer.exe explorer.exe PID 4712 set thread context of 3084 4712 spoolsv.exe spoolsv.exe PID 2492 set thread context of 4804 2492 explorer.exe explorer.exe PID 1488 set thread context of 1752 1488 spoolsv.exe spoolsv.exe PID 232 set thread context of 4732 232 explorer.exe explorer.exe PID 1484 set thread context of 4480 1484 spoolsv.exe spoolsv.exe PID 4592 set thread context of 3132 4592 explorer.exe explorer.exe PID 3552 set thread context of 4508 3552 spoolsv.exe spoolsv.exe PID 1992 set thread context of 1820 1992 explorer.exe explorer.exe PID 1036 set thread context of 696 1036 spoolsv.exe spoolsv.exe PID 1432 set thread context of 3136 1432 explorer.exe explorer.exe PID 4656 set thread context of 4940 4656 spoolsv.exe spoolsv.exe PID 4968 set thread context of 3664 4968 spoolsv.exe spoolsv.exe PID 4056 set thread context of 4812 4056 spoolsv.exe spoolsv.exe PID 4604 set thread context of 2712 4604 explorer.exe explorer.exe PID 4040 set thread context of 4936 4040 spoolsv.exe spoolsv.exe PID 2416 set thread context of 4548 2416 spoolsv.exe spoolsv.exe PID 4560 set thread context of 1568 4560 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8db3192669748b9fcfbf7730d985445_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exeexplorer.exepid process 1816 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe 1816 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 636 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1816 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe 1816 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 636 explorer.exe 740 spoolsv.exe 740 spoolsv.exe 4512 spoolsv.exe 4512 spoolsv.exe 1344 spoolsv.exe 1344 spoolsv.exe 2172 spoolsv.exe 2172 spoolsv.exe 3980 spoolsv.exe 3980 spoolsv.exe 3080 spoolsv.exe 3080 spoolsv.exe 1580 spoolsv.exe 1580 spoolsv.exe 3248 spoolsv.exe 3248 spoolsv.exe 1224 spoolsv.exe 1224 spoolsv.exe 2912 spoolsv.exe 2912 spoolsv.exe 2132 spoolsv.exe 2132 spoolsv.exe 1604 spoolsv.exe 1604 spoolsv.exe 1472 spoolsv.exe 1472 spoolsv.exe 4648 spoolsv.exe 4648 spoolsv.exe 2016 spoolsv.exe 2016 spoolsv.exe 4144 spoolsv.exe 4144 spoolsv.exe 3740 spoolsv.exe 3740 spoolsv.exe 1168 spoolsv.exe 1168 spoolsv.exe 2264 spoolsv.exe 2264 spoolsv.exe 4576 spoolsv.exe 4576 spoolsv.exe 3892 spoolsv.exe 3892 spoolsv.exe 3600 spoolsv.exe 3600 spoolsv.exe 5092 spoolsv.exe 5092 spoolsv.exe 1480 spoolsv.exe 1480 spoolsv.exe 4244 spoolsv.exe 4244 spoolsv.exe 1876 spoolsv.exe 1876 spoolsv.exe 2320 spoolsv.exe 2320 spoolsv.exe 4580 spoolsv.exe 4580 spoolsv.exe 3788 spoolsv.exe 3788 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exea8db3192669748b9fcfbf7730d985445_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 3412 wrote to memory of 1664 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe splwow64.exe PID 3412 wrote to memory of 1664 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe splwow64.exe PID 3412 wrote to memory of 1816 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe PID 3412 wrote to memory of 1816 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe PID 3412 wrote to memory of 1816 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe PID 3412 wrote to memory of 1816 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe PID 3412 wrote to memory of 1816 3412 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe PID 1816 wrote to memory of 740 1816 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe explorer.exe PID 1816 wrote to memory of 740 1816 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe explorer.exe PID 1816 wrote to memory of 740 1816 a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe explorer.exe PID 740 wrote to memory of 636 740 explorer.exe explorer.exe PID 740 wrote to memory of 636 740 explorer.exe explorer.exe PID 740 wrote to memory of 636 740 explorer.exe explorer.exe PID 740 wrote to memory of 636 740 explorer.exe explorer.exe PID 740 wrote to memory of 636 740 explorer.exe explorer.exe PID 636 wrote to memory of 4484 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4484 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4484 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4024 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4024 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4024 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2764 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2764 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2764 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1300 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1300 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1300 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2948 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2948 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2948 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2176 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2176 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 2176 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4124 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4124 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4124 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5004 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5004 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5004 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5100 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5100 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5100 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4432 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4432 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4432 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 3500 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 3500 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 3500 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5032 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5032 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 5032 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 3640 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 3640 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 3640 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4440 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4440 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4440 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1780 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1780 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1780 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1680 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1680 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 1680 636 explorer.exe spoolsv.exe PID 636 wrote to memory of 4856 636 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8db3192669748b9fcfbf7730d985445_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD5ee1205b7dabbce810e7f36f5496c7dc7
SHA1bd0c031ccb4558ce36f37a6b26c1da189a05a73f
SHA2563d64160dd06d88a11184da6a40684327d2a7a8b8ab46ee1f26557cc448fa24e8
SHA5120f2da1846070bde3dd42817bc5e1c51328fd0345675e18b9c0564f4b962d629f332fcd22c38f7ed56e3e3f35baa00857d5b7e10ed35fe0e9cd9fac7fe3a84f49
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD5a6235ecfe096e9dd084aad0c8aa7e9b7
SHA116339d1d7ce021542d0ed39a056f3c3dea347ee0
SHA2567a95e99f60906ccd45957e2ae305b244757656ee0e169b1926b8425464036740
SHA51243354222116a78266ce2451227597a1f7b2f9027f00489edfc2bb12006baab3e3cf12a6cbf6f859c180a4559211f36763bc0e77bad85d171d0bf46aa737a03f5
-
memory/396-2252-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/404-2355-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/636-1009-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/636-94-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/692-2342-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/696-5533-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/740-2345-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/740-2527-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/740-95-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/740-90-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/812-5884-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/812-5881-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1168-2878-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1224-2576-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1300-1213-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1344-2402-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1472-2758-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1476-3946-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1480-3140-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1568-5806-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1580-2556-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1580-2553-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1604-2748-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1680-2045-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1696-6007-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1696-6184-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1752-4865-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1780-2044-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1816-79-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1816-77-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/1816-41-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1816-39-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1820-5447-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1916-4157-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1916-4302-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2132-2620-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2172-2462-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2176-1450-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2228-2343-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2320-3220-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2320-3224-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2532-3856-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2532-3759-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2712-5666-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2724-2396-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2764-2423-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2764-1212-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2948-1449-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3080-2545-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3080-2715-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3084-4553-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3116-6203-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3132-5348-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3132-5352-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3136-5553-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3248-2566-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3300-6018-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3412-42-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3412-36-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3412-38-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/3412-0-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/3500-1635-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3640-1839-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3664-5561-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3740-2799-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3740-2794-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3892-2973-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3892-2969-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3928-3310-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3968-3405-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3980-2475-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4020-2253-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4024-1211-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4024-2357-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4124-1451-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4144-2787-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4244-3150-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4432-1634-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4436-3320-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4436-3323-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4440-1840-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4472-4241-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4472-4249-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4480-5127-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4480-5260-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4484-2346-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4484-1010-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4508-5435-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4512-2356-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4548-5749-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4576-2961-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4576-3073-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4580-3445-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4580-3294-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4600-2251-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4648-2768-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4732-4993-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4732-4989-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4804-4655-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4812-5790-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4856-2046-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4936-5674-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5004-1452-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5032-1838-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5044-2354-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5092-3277-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5100-1633-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB