Analysis
-
max time kernel
147s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 09:33
Behavioral task
behavioral1
Sample
a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8fc9c0d68e41a0b67693782c074ffeb
-
SHA1
f40838de9bfa413f02cc28d63b579197fabff425
-
SHA256
3ebc898422516cb9bfe92e040ec5ff7f51dccea7e596a8bfd445ad9b55c09840
-
SHA512
e6b1a1fd0faad261a0f6cb87255c9093c1fcd5aa70e44d71c99d370591da4a6be69cc26e97fbe89aded01ea8fb8ebc452b5d475ef4390a27ee2ede27f045aa5d
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWww1
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2696 explorer.exe 4024 explorer.exe 436 spoolsv.exe 2296 spoolsv.exe 2236 spoolsv.exe 2360 spoolsv.exe 4664 spoolsv.exe 2404 spoolsv.exe 4948 spoolsv.exe 4472 spoolsv.exe 4840 spoolsv.exe 2292 spoolsv.exe 4972 spoolsv.exe 4224 spoolsv.exe 4392 spoolsv.exe 4184 spoolsv.exe 3432 spoolsv.exe 60 spoolsv.exe 4308 spoolsv.exe 656 spoolsv.exe 2844 spoolsv.exe 1972 spoolsv.exe 4600 spoolsv.exe 652 spoolsv.exe 5020 spoolsv.exe 2452 spoolsv.exe 2960 spoolsv.exe 1404 spoolsv.exe 2256 spoolsv.exe 1312 spoolsv.exe 4132 spoolsv.exe 984 spoolsv.exe 3544 spoolsv.exe 876 spoolsv.exe 464 spoolsv.exe 5232 spoolsv.exe 5296 spoolsv.exe 5348 explorer.exe 5384 spoolsv.exe 5476 spoolsv.exe 5536 spoolsv.exe 5624 spoolsv.exe 5692 spoolsv.exe 6036 spoolsv.exe 5052 spoolsv.exe 5196 explorer.exe 5320 spoolsv.exe 4384 spoolsv.exe 5436 spoolsv.exe 5508 spoolsv.exe 5588 spoolsv.exe 5648 spoolsv.exe 5912 spoolsv.exe 5980 spoolsv.exe 3100 spoolsv.exe 5316 explorer.exe 2768 spoolsv.exe 5388 spoolsv.exe 2652 spoolsv.exe 3420 spoolsv.exe 5552 spoolsv.exe 5756 spoolsv.exe 5816 spoolsv.exe 5896 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 56 IoCs
Processes:
a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 2020 set thread context of 2804 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe PID 2696 set thread context of 4024 2696 explorer.exe explorer.exe PID 436 set thread context of 5296 436 spoolsv.exe spoolsv.exe PID 2296 set thread context of 5384 2296 spoolsv.exe spoolsv.exe PID 2236 set thread context of 5476 2236 spoolsv.exe spoolsv.exe PID 2360 set thread context of 5536 2360 spoolsv.exe spoolsv.exe PID 4664 set thread context of 5624 4664 spoolsv.exe spoolsv.exe PID 2404 set thread context of 5692 2404 spoolsv.exe spoolsv.exe PID 4948 set thread context of 5052 4948 spoolsv.exe spoolsv.exe PID 4472 set thread context of 5320 4472 spoolsv.exe spoolsv.exe PID 4840 set thread context of 4384 4840 spoolsv.exe spoolsv.exe PID 2292 set thread context of 5436 2292 spoolsv.exe spoolsv.exe PID 4972 set thread context of 5508 4972 spoolsv.exe spoolsv.exe PID 4224 set thread context of 5588 4224 spoolsv.exe spoolsv.exe PID 4392 set thread context of 5648 4392 spoolsv.exe spoolsv.exe PID 4184 set thread context of 5980 4184 spoolsv.exe spoolsv.exe PID 3432 set thread context of 3100 3432 spoolsv.exe spoolsv.exe PID 60 set thread context of 2768 60 spoolsv.exe spoolsv.exe PID 4308 set thread context of 5388 4308 spoolsv.exe spoolsv.exe PID 656 set thread context of 2652 656 spoolsv.exe spoolsv.exe PID 2844 set thread context of 3420 2844 spoolsv.exe spoolsv.exe PID 1972 set thread context of 5552 1972 spoolsv.exe spoolsv.exe PID 4600 set thread context of 5816 4600 spoolsv.exe spoolsv.exe PID 652 set thread context of 5896 652 spoolsv.exe spoolsv.exe PID 5020 set thread context of 5132 5020 spoolsv.exe spoolsv.exe PID 2452 set thread context of 3260 2452 spoolsv.exe spoolsv.exe PID 2960 set thread context of 5184 2960 spoolsv.exe spoolsv.exe PID 1404 set thread context of 5500 1404 spoolsv.exe spoolsv.exe PID 2256 set thread context of 5852 2256 spoolsv.exe spoolsv.exe PID 1312 set thread context of 3164 1312 spoolsv.exe spoolsv.exe PID 4132 set thread context of 4120 4132 spoolsv.exe spoolsv.exe PID 984 set thread context of 6032 984 spoolsv.exe spoolsv.exe PID 3544 set thread context of 6008 3544 spoolsv.exe spoolsv.exe PID 876 set thread context of 4244 876 spoolsv.exe spoolsv.exe PID 464 set thread context of 2720 464 spoolsv.exe spoolsv.exe PID 5232 set thread context of 3236 5232 spoolsv.exe spoolsv.exe PID 5348 set thread context of 4520 5348 explorer.exe explorer.exe PID 6036 set thread context of 4968 6036 spoolsv.exe spoolsv.exe PID 5196 set thread context of 1704 5196 explorer.exe explorer.exe PID 5912 set thread context of 5136 5912 spoolsv.exe spoolsv.exe PID 5316 set thread context of 3152 5316 explorer.exe explorer.exe PID 5756 set thread context of 2172 5756 spoolsv.exe spoolsv.exe PID 3436 set thread context of 3388 3436 explorer.exe explorer.exe PID 4232 set thread context of 524 4232 spoolsv.exe spoolsv.exe PID 5804 set thread context of 236 5804 explorer.exe explorer.exe PID 4064 set thread context of 6076 4064 spoolsv.exe spoolsv.exe PID 644 set thread context of 5712 644 explorer.exe explorer.exe PID 2320 set thread context of 5696 2320 spoolsv.exe spoolsv.exe PID 6116 set thread context of 4952 6116 spoolsv.exe spoolsv.exe PID 5260 set thread context of 5868 5260 spoolsv.exe spoolsv.exe PID 1240 set thread context of 5480 1240 spoolsv.exe spoolsv.exe PID 5564 set thread context of 5312 5564 explorer.exe explorer.exe PID 1376 set thread context of 5728 1376 spoolsv.exe spoolsv.exe PID 3068 set thread context of 5616 3068 spoolsv.exe spoolsv.exe PID 3676 set thread context of 5528 3676 spoolsv.exe spoolsv.exe PID 5496 set thread context of 4400 5496 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exea8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exeexplorer.exepid process 2804 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe 2804 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4024 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2804 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe 2804 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 5296 spoolsv.exe 5296 spoolsv.exe 5384 spoolsv.exe 5384 spoolsv.exe 5476 spoolsv.exe 5476 spoolsv.exe 5536 spoolsv.exe 5536 spoolsv.exe 5624 spoolsv.exe 5624 spoolsv.exe 5692 spoolsv.exe 5692 spoolsv.exe 5052 spoolsv.exe 5052 spoolsv.exe 5320 spoolsv.exe 5320 spoolsv.exe 4384 spoolsv.exe 4384 spoolsv.exe 5436 spoolsv.exe 5436 spoolsv.exe 5508 spoolsv.exe 5508 spoolsv.exe 5588 spoolsv.exe 5588 spoolsv.exe 5648 spoolsv.exe 5648 spoolsv.exe 5980 spoolsv.exe 5980 spoolsv.exe 3100 spoolsv.exe 3100 spoolsv.exe 2768 spoolsv.exe 2768 spoolsv.exe 5388 spoolsv.exe 5388 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 3420 spoolsv.exe 3420 spoolsv.exe 5552 spoolsv.exe 5552 spoolsv.exe 5816 spoolsv.exe 5816 spoolsv.exe 5896 spoolsv.exe 5896 spoolsv.exe 5132 spoolsv.exe 5132 spoolsv.exe 3260 spoolsv.exe 3260 spoolsv.exe 5184 spoolsv.exe 5184 spoolsv.exe 5500 spoolsv.exe 5500 spoolsv.exe 5852 spoolsv.exe 5852 spoolsv.exe 3164 spoolsv.exe 3164 spoolsv.exe 4120 spoolsv.exe 4120 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exea8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 2020 wrote to memory of 212 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe splwow64.exe PID 2020 wrote to memory of 212 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe splwow64.exe PID 2020 wrote to memory of 2804 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe PID 2020 wrote to memory of 2804 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe PID 2020 wrote to memory of 2804 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe PID 2020 wrote to memory of 2804 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe PID 2020 wrote to memory of 2804 2020 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe PID 2804 wrote to memory of 2696 2804 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe explorer.exe PID 2804 wrote to memory of 2696 2804 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe explorer.exe PID 2804 wrote to memory of 2696 2804 a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe explorer.exe PID 2696 wrote to memory of 4024 2696 explorer.exe explorer.exe PID 2696 wrote to memory of 4024 2696 explorer.exe explorer.exe PID 2696 wrote to memory of 4024 2696 explorer.exe explorer.exe PID 2696 wrote to memory of 4024 2696 explorer.exe explorer.exe PID 2696 wrote to memory of 4024 2696 explorer.exe explorer.exe PID 4024 wrote to memory of 436 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 436 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 436 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2296 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2296 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2296 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2236 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2236 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2236 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2360 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2360 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2360 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4664 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4664 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4664 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2404 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2404 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2404 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4948 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4948 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4948 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4472 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4472 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4472 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4840 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4840 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4840 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2292 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2292 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 2292 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4972 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4972 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4972 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4224 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4224 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4224 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4392 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4392 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4392 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4184 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4184 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4184 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 3432 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 3432 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 3432 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 60 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 60 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 60 4024 explorer.exe spoolsv.exe PID 4024 wrote to memory of 4308 4024 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8fc9c0d68e41a0b67693782c074ffeb_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3584,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD528f2b817136bbfba76daefe70caf6b93
SHA188f101ec1e7359d130e4efd02ed5ecdfb8e01ed1
SHA256e00a2a9182a5a9dc713a1b22409336bfd74b283f88c94cf36e3b307ef8dca174
SHA51285b55652423c38caa66a0ce7613ef6219ad578fd41297001e8d42f560e40d0a84430b7eac0e8c655f44a6c79d14db3cdbb43a46e8c38a3c5aedc64d78cc721ce
-
C:\Windows\System\spoolsv.exeFilesize
2.2MB
MD5b4a00253eeb0c86c3f7e4184f79c8c94
SHA17eb07bc05a75a967acf4935679aaf3cd9f6a986f
SHA256691b44db0c36006e5843e4356c96b69a697fda10fcd836d86c2c06a9ae73f234
SHA5120ada1156e41b09567646da84c85dcd3338b4173995a653bf7b105d1deaca357ca62e786e8268e625cf84e77dbf52e6fc24971bff1f0c096434ea0f484e3a8b10
-
memory/60-2055-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/236-5324-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/436-1044-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/436-2348-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/524-5247-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/524-5382-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/652-2346-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/656-2057-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1704-4098-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1972-2262-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2020-0-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2020-41-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2020-48-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2020-43-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2172-4935-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2172-4846-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2236-2367-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2236-1256-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2292-1623-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2296-2358-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2296-1045-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2360-1257-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2404-1459-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2452-2365-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2652-2830-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2652-2833-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2696-104-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2696-109-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2720-3383-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2720-3501-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2768-2807-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2768-2812-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2804-93-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2804-47-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2804-46-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2844-2261-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3100-2994-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3100-2800-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3152-4610-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3236-3713-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3260-3027-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3260-3024-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3388-4958-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3420-2839-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3420-2842-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3432-2054-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3548-5932-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4024-1043-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4024-108-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4184-1814-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4224-1812-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4244-3315-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4272-6017-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4308-2056-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4384-2572-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4392-1813-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4400-5921-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4472-1461-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4520-3719-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4520-3723-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4600-2263-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4664-1258-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4840-1622-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4948-1460-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4952-5465-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4952-5574-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4968-4145-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4968-4009-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4972-1624-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5020-2355-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/5104-5951-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5132-3159-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5132-3016-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5136-4442-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5136-4583-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5184-3035-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5296-2509-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5296-2347-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5312-5631-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5320-2563-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5384-2356-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5388-2822-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5388-2819-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5436-2583-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5476-2366-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5508-2594-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5528-5862-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5536-2378-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5552-2852-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5588-2605-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5616-5792-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5624-2388-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5624-2390-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5648-2618-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5692-2400-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5696-5348-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5712-5341-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5728-5771-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5728-5896-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5816-2936-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5852-3359-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5852-3198-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5868-5611-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5896-2955-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5980-2697-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/6032-3222-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB