Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 09:23
Behavioral task
behavioral1
Sample
a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8f418a721f272ef9b433302795a4270
-
SHA1
e4aaeca93b6e140818b22d5090ce8d3d47b7700b
-
SHA256
8a890299aeceb10eca967274cee761c743adccf0f75a2b5057bbf78e450960cc
-
SHA512
9c7c586e30806c49208ef85a94f165e63a5426d38883b4b67c47ca1812fbf5e799c14cdf66bdd922643ee122965b7044c10397527df4f49fc1efc2583b61d436
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZs:0UzeyQMS4DqodCnoe+iitjWwww
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8f418a721f272ef9b433302795a4270_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exepid process 3408 explorer.exe 4876 explorer.exe 220 spoolsv.exe 4856 spoolsv.exe 1308 spoolsv.exe 3488 spoolsv.exe 3104 spoolsv.exe 1672 spoolsv.exe 2576 spoolsv.exe 4332 spoolsv.exe 4496 spoolsv.exe 1624 spoolsv.exe 1908 spoolsv.exe 3984 spoolsv.exe 1832 spoolsv.exe 1516 spoolsv.exe 2760 spoolsv.exe 4800 spoolsv.exe 2512 spoolsv.exe 4540 spoolsv.exe 4208 spoolsv.exe 1032 spoolsv.exe 4836 spoolsv.exe 2540 spoolsv.exe 4852 spoolsv.exe 2156 spoolsv.exe 116 spoolsv.exe 4752 spoolsv.exe 3416 spoolsv.exe 2684 spoolsv.exe 1836 spoolsv.exe 3016 spoolsv.exe 1824 spoolsv.exe 924 spoolsv.exe 4700 explorer.exe 1972 spoolsv.exe 4964 spoolsv.exe 3236 spoolsv.exe 3400 spoolsv.exe 488 spoolsv.exe 3020 spoolsv.exe 4756 spoolsv.exe 2712 explorer.exe 5044 spoolsv.exe 3812 spoolsv.exe 3724 spoolsv.exe 4960 spoolsv.exe 648 explorer.exe 1340 spoolsv.exe 2280 spoolsv.exe 3244 spoolsv.exe 900 spoolsv.exe 3928 spoolsv.exe 2284 spoolsv.exe 396 explorer.exe 2548 spoolsv.exe 1076 spoolsv.exe 4776 spoolsv.exe 916 spoolsv.exe 4288 spoolsv.exe 2324 explorer.exe 4072 spoolsv.exe 2040 spoolsv.exe 5032 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
Processes:
a8f418a721f272ef9b433302795a4270_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 1004 set thread context of 4924 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe PID 3408 set thread context of 4876 3408 explorer.exe explorer.exe PID 220 set thread context of 924 220 spoolsv.exe spoolsv.exe PID 4856 set thread context of 1972 4856 spoolsv.exe spoolsv.exe PID 1308 set thread context of 4964 1308 spoolsv.exe spoolsv.exe PID 3488 set thread context of 3236 3488 spoolsv.exe spoolsv.exe PID 3104 set thread context of 3400 3104 spoolsv.exe spoolsv.exe PID 1672 set thread context of 488 1672 spoolsv.exe spoolsv.exe PID 2576 set thread context of 4756 2576 spoolsv.exe spoolsv.exe PID 4332 set thread context of 5044 4332 spoolsv.exe spoolsv.exe PID 4496 set thread context of 3812 4496 spoolsv.exe spoolsv.exe PID 1624 set thread context of 4960 1624 spoolsv.exe spoolsv.exe PID 1908 set thread context of 1340 1908 spoolsv.exe spoolsv.exe PID 3984 set thread context of 2280 3984 spoolsv.exe spoolsv.exe PID 1832 set thread context of 3244 1832 spoolsv.exe spoolsv.exe PID 1516 set thread context of 900 1516 spoolsv.exe spoolsv.exe PID 2760 set thread context of 2284 2760 spoolsv.exe spoolsv.exe PID 4800 set thread context of 2548 4800 spoolsv.exe spoolsv.exe PID 2512 set thread context of 1076 2512 spoolsv.exe spoolsv.exe PID 4540 set thread context of 4776 4540 spoolsv.exe spoolsv.exe PID 4208 set thread context of 4288 4208 spoolsv.exe spoolsv.exe PID 1032 set thread context of 4072 1032 spoolsv.exe spoolsv.exe PID 4836 set thread context of 2040 4836 spoolsv.exe spoolsv.exe PID 2540 set thread context of 5032 2540 spoolsv.exe spoolsv.exe PID 4852 set thread context of 2496 4852 spoolsv.exe spoolsv.exe PID 2156 set thread context of 544 2156 spoolsv.exe spoolsv.exe PID 116 set thread context of 5116 116 spoolsv.exe spoolsv.exe PID 4752 set thread context of 4372 4752 spoolsv.exe spoolsv.exe PID 3416 set thread context of 2252 3416 spoolsv.exe spoolsv.exe PID 2684 set thread context of 404 2684 spoolsv.exe spoolsv.exe PID 1836 set thread context of 3832 1836 spoolsv.exe spoolsv.exe PID 3016 set thread context of 1852 3016 spoolsv.exe spoolsv.exe PID 1824 set thread context of 2072 1824 spoolsv.exe spoolsv.exe PID 4700 set thread context of 1952 4700 explorer.exe explorer.exe PID 3020 set thread context of 2796 3020 spoolsv.exe spoolsv.exe PID 2712 set thread context of 4832 2712 explorer.exe explorer.exe PID 648 set thread context of 4872 648 explorer.exe explorer.exe PID 3724 set thread context of 3216 3724 spoolsv.exe spoolsv.exe PID 3928 set thread context of 540 3928 spoolsv.exe spoolsv.exe PID 396 set thread context of 4972 396 explorer.exe explorer.exe PID 916 set thread context of 8 916 spoolsv.exe spoolsv.exe PID 2324 set thread context of 1060 2324 explorer.exe explorer.exe PID 4140 set thread context of 2488 4140 spoolsv.exe spoolsv.exe PID 548 set thread context of 3912 548 explorer.exe explorer.exe PID 4908 set thread context of 3236 4908 spoolsv.exe spoolsv.exe PID 1888 set thread context of 1416 1888 explorer.exe explorer.exe PID 4500 set thread context of 1084 4500 spoolsv.exe spoolsv.exe PID 4828 set thread context of 1224 4828 spoolsv.exe spoolsv.exe PID 4792 set thread context of 1464 4792 spoolsv.exe spoolsv.exe PID 2492 set thread context of 1320 2492 spoolsv.exe spoolsv.exe PID 1440 set thread context of 3188 1440 explorer.exe explorer.exe PID 4108 set thread context of 4356 4108 spoolsv.exe spoolsv.exe PID 4236 set thread context of 4984 4236 explorer.exe explorer.exe PID 1424 set thread context of 3728 1424 spoolsv.exe spoolsv.exe PID 2732 set thread context of 5060 2732 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exea8f418a721f272ef9b433302795a4270_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exea8f418a721f272ef9b433302795a4270_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8f418a721f272ef9b433302795a4270_JaffaCakes118.exeexplorer.exepid process 4924 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe 4924 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4876 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8f418a721f272ef9b433302795a4270_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4924 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe 4924 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 924 spoolsv.exe 924 spoolsv.exe 1972 spoolsv.exe 1972 spoolsv.exe 4964 spoolsv.exe 4964 spoolsv.exe 3236 spoolsv.exe 3236 spoolsv.exe 3400 spoolsv.exe 3400 spoolsv.exe 488 spoolsv.exe 488 spoolsv.exe 4756 spoolsv.exe 4756 spoolsv.exe 5044 spoolsv.exe 5044 spoolsv.exe 3812 spoolsv.exe 3812 spoolsv.exe 4960 spoolsv.exe 4960 spoolsv.exe 1340 spoolsv.exe 1340 spoolsv.exe 2280 spoolsv.exe 2280 spoolsv.exe 3244 spoolsv.exe 3244 spoolsv.exe 900 spoolsv.exe 900 spoolsv.exe 2284 spoolsv.exe 2284 spoolsv.exe 2548 spoolsv.exe 2548 spoolsv.exe 1076 spoolsv.exe 1076 spoolsv.exe 4776 spoolsv.exe 4776 spoolsv.exe 4288 spoolsv.exe 4288 spoolsv.exe 4072 spoolsv.exe 4072 spoolsv.exe 2040 spoolsv.exe 2040 spoolsv.exe 5032 spoolsv.exe 5032 spoolsv.exe 2496 spoolsv.exe 2496 spoolsv.exe 544 spoolsv.exe 544 spoolsv.exe 5116 spoolsv.exe 5116 spoolsv.exe 4372 spoolsv.exe 4372 spoolsv.exe 2252 spoolsv.exe 2252 spoolsv.exe 404 spoolsv.exe 404 spoolsv.exe 3832 spoolsv.exe 3832 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8f418a721f272ef9b433302795a4270_JaffaCakes118.exea8f418a721f272ef9b433302795a4270_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1004 wrote to memory of 4880 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe splwow64.exe PID 1004 wrote to memory of 4880 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe splwow64.exe PID 1004 wrote to memory of 4924 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe PID 1004 wrote to memory of 4924 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe PID 1004 wrote to memory of 4924 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe PID 1004 wrote to memory of 4924 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe PID 1004 wrote to memory of 4924 1004 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe PID 4924 wrote to memory of 3408 4924 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe explorer.exe PID 4924 wrote to memory of 3408 4924 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe explorer.exe PID 4924 wrote to memory of 3408 4924 a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe explorer.exe PID 3408 wrote to memory of 4876 3408 explorer.exe explorer.exe PID 3408 wrote to memory of 4876 3408 explorer.exe explorer.exe PID 3408 wrote to memory of 4876 3408 explorer.exe explorer.exe PID 3408 wrote to memory of 4876 3408 explorer.exe explorer.exe PID 3408 wrote to memory of 4876 3408 explorer.exe explorer.exe PID 4876 wrote to memory of 220 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 220 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 220 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4856 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4856 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4856 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1308 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1308 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1308 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3488 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3488 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3488 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3104 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3104 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3104 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1672 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1672 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1672 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 2576 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 2576 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 2576 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4332 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4332 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4332 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4496 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4496 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4496 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1624 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1624 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1624 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1908 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1908 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1908 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3984 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3984 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 3984 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1832 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1832 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1832 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1516 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1516 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 1516 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 2760 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 2760 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 2760 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4800 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4800 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 4800 4876 explorer.exe spoolsv.exe PID 4876 wrote to memory of 2512 4876 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8f418a721f272ef9b433302795a4270_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD56967f552daf2949e1881eb648e07acb1
SHA1d67c52e96f8d604b908703eed924de4bd477a87a
SHA25682729429da8b815018434250382005e42dba14f1f6ac97e22f22fbd52b397acc
SHA512138b69a1e17ffee49d2ce37eb553c649af78c6f7960b85d631cca5c5fb73672c981b34d13631bdbca1391f4c4565e3ff5b1354c356c455c1b72ec00d0d36f138
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD53fec37476c9a3ca01ec837253281e8af
SHA1c38f81d480bd0f0f14d16e0b5ecbf5c20f69510b
SHA25652d1313936e8dce85705fa4f050a6825fb16173bffa0f0ab2156bb191703450b
SHA51229b4d71f53b72418b6221420568c18b79b036cfbfa2dee4d9424d45bdd981dc39affe001c2788f79140d9c46668b2dc720537c58bd17eb40893d72e88215f77b
-
memory/8-4503-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/8-4652-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/220-2047-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/220-916-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/404-3029-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/488-2102-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/540-4084-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/540-4212-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/544-2902-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/900-2490-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/924-2046-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/924-2248-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1004-33-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/1004-0-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/1004-31-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1004-39-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1032-2045-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1060-4567-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1076-2646-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1076-2648-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1084-4937-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1084-4939-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1224-4994-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1224-4990-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1308-1058-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1308-2070-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1320-5164-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1340-2458-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1416-4927-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1464-5219-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1464-5078-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1516-1699-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1624-1405-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1672-1216-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1832-1698-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1852-3271-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1852-3153-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1908-1563-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1952-3504-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1972-2055-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1972-2059-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2040-2807-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2072-3597-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2280-2468-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2284-2771-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2284-2629-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2488-4979-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2496-2827-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2512-1885-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2540-2066-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2548-2637-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2576-1217-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2760-1700-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2796-3615-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2796-3747-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3104-1215-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3188-5221-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3216-3998-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3236-2081-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3236-4914-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3244-2479-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3400-2094-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3400-2090-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3408-96-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3408-101-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3488-2078-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3488-1079-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3728-5327-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3812-2286-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3832-3041-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3912-4826-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3984-1564-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4072-2798-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4208-2044-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4288-2955-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4288-2790-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4332-1403-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4356-5307-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4496-1404-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4540-1886-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4756-2257-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4756-2396-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4800-1884-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4832-3625-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4836-2054-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4856-2056-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4856-1057-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4872-3879-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4876-915-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4876-100-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4924-90-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4924-88-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/4924-37-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4924-34-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4960-2449-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4960-2564-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4964-2072-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4964-2067-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4972-4093-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4972-4095-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4984-5318-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5044-2275-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5116-3006-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5116-3124-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB