Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 03:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe
-
Size
273KB
-
MD5
ba23e051091480c533eb482ff49ebc0e
-
SHA1
b82668bfee84196c5c829c8ec737c12b8c16a213
-
SHA256
73201834b1e50cb3d4468938b1d7e1c44098de86271cb2859aaea4741012e448
-
SHA512
928e40141132127663f92e5500a98245be5cf6c370110e514070aeb959a42b2e5bd4be53b0ecff7977ec298634e1e9977c6973f87efd2a0bcd9b9e70662d3b03
-
SSDEEP
6144:irAI/sHAeQFp9cgFa8MrVg9yGVvEF0CgckbVPyBS6ABkJyyC01:gAI/slJC9ywE0Nc0FyI6Skwh0
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation spools.exe -
Executes dropped EXE 64 IoCs
pid Process 4008 spools.exe 4700 spools.exe 3460 spools.exe 4324 spools.exe 2628 spools.exe 3132 spools.exe 3964 spools.exe 3332 spools.exe 3908 spools.exe 4000 spools.exe 944 spools.exe 3272 spools.exe 2308 spools.exe 2964 spools.exe 4172 spools.exe 2160 spools.exe 3016 spools.exe 1384 spools.exe 2876 spools.exe 4548 spools.exe 3700 spools.exe 1988 spools.exe 2320 spools.exe 4516 spools.exe 1960 spools.exe 4932 spools.exe 3812 spools.exe 5064 spools.exe 4632 spools.exe 4828 spools.exe 1232 spools.exe 1264 spools.exe 3440 spools.exe 3908 spools.exe 452 spools.exe 388 spools.exe 4092 spools.exe 3812 spools.exe 1196 spools.exe 1168 spools.exe 3000 spools.exe 376 spools.exe 3532 spools.exe 2440 spools.exe 2924 spools.exe 3124 spools.exe 1048 spools.exe 2572 spools.exe 3584 spools.exe 1308 spools.exe 3496 spools.exe 5112 spools.exe 4416 spools.exe 2732 spools.exe 1060 spools.exe 4424 spools.exe 3000 spools.exe 3612 spools.exe 3080 spools.exe 4304 spools.exe 1044 spools.exe 5048 spools.exe 3988 spools.exe 944 spools.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spools Service Controller = "C:\\Windows\\system32\\spools.exe" spools.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe File created C:\Windows\SysWOW64\spools.exe spools.exe File opened for modification C:\Windows\SysWOW64\spools.exe spools.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1952 set thread context of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 4008 set thread context of 4700 4008 spools.exe 94 PID 3460 set thread context of 4324 3460 spools.exe 104 PID 2628 set thread context of 3132 2628 spools.exe 108 PID 3964 set thread context of 3332 3964 spools.exe 113 PID 3908 set thread context of 4000 3908 spools.exe 119 PID 944 set thread context of 3272 944 spools.exe 123 PID 2308 set thread context of 2964 2308 spools.exe 127 PID 4172 set thread context of 2160 4172 spools.exe 131 PID 3016 set thread context of 1384 3016 spools.exe 135 PID 2876 set thread context of 4548 2876 spools.exe 139 PID 3700 set thread context of 1988 3700 spools.exe 143 PID 2320 set thread context of 4516 2320 spools.exe 147 PID 1960 set thread context of 4932 1960 spools.exe 151 PID 3812 set thread context of 5064 3812 spools.exe 155 PID 4632 set thread context of 4828 4632 spools.exe 159 PID 1232 set thread context of 1264 1232 spools.exe 167 PID 3440 set thread context of 3908 3440 spools.exe 171 PID 452 set thread context of 388 452 spools.exe 176 PID 4092 set thread context of 3812 4092 spools.exe 180 PID 1196 set thread context of 1168 1196 spools.exe 184 PID 3000 set thread context of 376 3000 spools.exe 188 PID 3532 set thread context of 2440 3532 spools.exe 192 PID 2924 set thread context of 3124 2924 spools.exe 196 PID 1048 set thread context of 2572 1048 spools.exe 200 PID 3584 set thread context of 1308 3584 spools.exe 204 PID 3496 set thread context of 5112 3496 spools.exe 208 PID 4416 set thread context of 2732 4416 spools.exe 212 PID 1060 set thread context of 4424 1060 spools.exe 216 PID 3000 set thread context of 3612 3000 spools.exe 220 PID 3080 set thread context of 4304 3080 spools.exe 224 PID 1044 set thread context of 5048 1044 spools.exe 228 PID 3988 set thread context of 944 3988 spools.exe 232 PID 2232 set thread context of 1584 2232 spools.exe 237 PID 4416 set thread context of 4652 4416 spools.exe 241 PID 1156 set thread context of 5104 1156 spools.exe 245 PID 1712 set thread context of 4976 1712 spools.exe 249 PID 1080 set thread context of 4136 1080 spools.exe 253 PID 4948 set thread context of 2844 4948 spools.exe 257 PID 876 set thread context of 4472 876 spools.exe 261 PID 4092 set thread context of 3672 4092 spools.exe 265 PID 3584 set thread context of 3512 3584 spools.exe 269 PID 3688 set thread context of 4928 3688 spools.exe 273 PID 676 set thread context of 1588 676 spools.exe 277 PID 2180 set thread context of 2240 2180 spools.exe 281 PID 2444 set thread context of 1580 2444 spools.exe 285 PID 3516 set thread context of 1576 3516 spools.exe 289 PID 1252 set thread context of 3148 1252 spools.exe 293 PID 2408 set thread context of 396 2408 spools.exe 297 PID 448 set thread context of 1724 448 spools.exe 301 PID 3900 set thread context of 3848 3900 spools.exe 305 PID 4424 set thread context of 1988 4424 spools.exe 313 PID 648 set thread context of 4864 648 spools.exe 319 PID 2156 set thread context of 2672 2156 spools.exe 325 PID 1772 set thread context of 448 1772 spools.exe 329 PID 1724 set thread context of 4440 1724 spools.exe 333 PID 3904 set thread context of 2204 3904 spools.exe 337 PID 4416 set thread context of 3032 4416 spools.exe 341 PID 3248 set thread context of 3436 3248 spools.exe 345 PID 2688 set thread context of 776 2688 spools.exe 349 PID 4420 set thread context of 3104 4420 spools.exe 353 PID 2220 set thread context of 1132 2220 spools.exe 357 PID 4924 set thread context of 3308 4924 spools.exe 361 PID 3536 set thread context of 2884 3536 spools.exe 365 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2100 1952 WerFault.exe 83 2108 4008 WerFault.exe 93 1484 3460 WerFault.exe 101 1124 2628 WerFault.exe 107 1784 3964 WerFault.exe 112 4948 3908 WerFault.exe 116 4688 944 WerFault.exe 122 3672 2308 WerFault.exe 126 4536 4172 WerFault.exe 130 2924 3016 WerFault.exe 134 1528 2876 WerFault.exe 138 4980 3700 WerFault.exe 142 2536 2320 WerFault.exe 146 4328 1960 WerFault.exe 150 1084 3812 WerFault.exe 154 4416 4632 WerFault.exe 158 4980 1232 WerFault.exe 165 2572 3440 WerFault.exe 170 2564 452 WerFault.exe 175 956 4092 WerFault.exe 179 4944 1196 WerFault.exe 183 1784 3000 WerFault.exe 187 3400 3532 WerFault.exe 191 3240 2924 WerFault.exe 195 2568 1048 WerFault.exe 199 1464 3584 WerFault.exe 203 2108 3496 WerFault.exe 207 2328 4416 WerFault.exe 211 1156 1060 WerFault.exe 215 4980 3000 WerFault.exe 219 3516 3080 WerFault.exe 223 1252 1044 WerFault.exe 227 4932 3988 WerFault.exe 231 4632 2232 WerFault.exe 236 1424 4416 WerFault.exe 240 4424 1156 WerFault.exe 244 940 1712 WerFault.exe 248 2924 1080 WerFault.exe 252 968 4948 WerFault.exe 256 840 876 WerFault.exe 260 1304 4092 WerFault.exe 264 3272 3584 WerFault.exe 268 2224 3688 WerFault.exe 272 3964 676 WerFault.exe 276 1064 2180 WerFault.exe 280 3064 2444 WerFault.exe 284 776 3516 WerFault.exe 288 2536 1252 WerFault.exe 292 2156 2408 WerFault.exe 296 2232 448 WerFault.exe 300 984 3900 WerFault.exe 304 1312 4424 WerFault.exe 310 4156 648 WerFault.exe 316 3652 2156 WerFault.exe 324 3536 1772 WerFault.exe 328 888 1724 WerFault.exe 332 4496 3904 WerFault.exe 336 4448 4416 WerFault.exe 340 3816 3248 WerFault.exe 344 4008 2688 WerFault.exe 348 3004 4420 WerFault.exe 352 944 2220 WerFault.exe 356 2308 4924 WerFault.exe 360 1224 3536 WerFault.exe 364 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spools.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2612 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe Token: SeDebugPrivilege 4700 spools.exe Token: SeDebugPrivilege 4324 spools.exe Token: SeDebugPrivilege 3132 spools.exe Token: SeDebugPrivilege 3332 spools.exe Token: SeDebugPrivilege 4000 spools.exe Token: SeDebugPrivilege 3272 spools.exe Token: SeDebugPrivilege 2964 spools.exe Token: SeDebugPrivilege 2160 spools.exe Token: SeDebugPrivilege 1384 spools.exe Token: SeDebugPrivilege 4548 spools.exe Token: SeDebugPrivilege 1988 spools.exe Token: SeDebugPrivilege 4516 spools.exe Token: SeDebugPrivilege 4932 spools.exe Token: SeDebugPrivilege 5064 spools.exe Token: SeDebugPrivilege 4828 spools.exe Token: SeDebugPrivilege 1264 spools.exe Token: SeDebugPrivilege 3908 spools.exe Token: SeDebugPrivilege 388 spools.exe Token: SeDebugPrivilege 3812 spools.exe Token: SeDebugPrivilege 1168 spools.exe Token: SeDebugPrivilege 376 spools.exe Token: SeDebugPrivilege 2440 spools.exe Token: SeDebugPrivilege 3124 spools.exe Token: SeDebugPrivilege 2572 spools.exe Token: SeDebugPrivilege 1308 spools.exe Token: SeDebugPrivilege 5112 spools.exe Token: SeDebugPrivilege 2732 spools.exe Token: SeDebugPrivilege 4424 spools.exe Token: SeDebugPrivilege 3612 spools.exe Token: SeDebugPrivilege 4304 spools.exe Token: SeDebugPrivilege 5048 spools.exe Token: SeDebugPrivilege 944 spools.exe Token: SeDebugPrivilege 1584 spools.exe Token: SeDebugPrivilege 4652 spools.exe Token: SeDebugPrivilege 5104 spools.exe Token: SeDebugPrivilege 4976 spools.exe Token: SeDebugPrivilege 4136 spools.exe Token: SeDebugPrivilege 2844 spools.exe Token: SeDebugPrivilege 4472 spools.exe Token: SeDebugPrivilege 3672 spools.exe Token: SeDebugPrivilege 3512 spools.exe Token: SeDebugPrivilege 4928 spools.exe Token: SeDebugPrivilege 1588 spools.exe Token: SeDebugPrivilege 2240 spools.exe Token: SeDebugPrivilege 1580 spools.exe Token: SeDebugPrivilege 1576 spools.exe Token: SeDebugPrivilege 3148 spools.exe Token: SeDebugPrivilege 396 spools.exe Token: SeDebugPrivilege 1724 spools.exe Token: SeDebugPrivilege 3848 spools.exe Token: SeDebugPrivilege 1988 spools.exe Token: SeDebugPrivilege 4864 spools.exe Token: SeDebugPrivilege 2672 spools.exe Token: SeDebugPrivilege 448 spools.exe Token: SeDebugPrivilege 4440 spools.exe Token: SeDebugPrivilege 2204 spools.exe Token: SeDebugPrivilege 3032 spools.exe Token: SeDebugPrivilege 3436 spools.exe Token: SeDebugPrivilege 776 spools.exe Token: SeDebugPrivilege 3104 spools.exe Token: SeDebugPrivilege 1132 spools.exe Token: SeDebugPrivilege 3308 spools.exe Token: SeDebugPrivilege 2884 spools.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 1952 wrote to memory of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 1952 wrote to memory of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 1952 wrote to memory of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 1952 wrote to memory of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 1952 wrote to memory of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 1952 wrote to memory of 2612 1952 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 89 PID 2612 wrote to memory of 4008 2612 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 93 PID 2612 wrote to memory of 4008 2612 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 93 PID 2612 wrote to memory of 4008 2612 ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe 93 PID 4008 wrote to memory of 4700 4008 spools.exe 94 PID 4008 wrote to memory of 4700 4008 spools.exe 94 PID 4008 wrote to memory of 4700 4008 spools.exe 94 PID 4008 wrote to memory of 4700 4008 spools.exe 94 PID 4008 wrote to memory of 4700 4008 spools.exe 94 PID 4008 wrote to memory of 4700 4008 spools.exe 94 PID 4008 wrote to memory of 4700 4008 spools.exe 94 PID 4700 wrote to memory of 3460 4700 spools.exe 101 PID 4700 wrote to memory of 3460 4700 spools.exe 101 PID 4700 wrote to memory of 3460 4700 spools.exe 101 PID 3460 wrote to memory of 4324 3460 spools.exe 104 PID 3460 wrote to memory of 4324 3460 spools.exe 104 PID 3460 wrote to memory of 4324 3460 spools.exe 104 PID 3460 wrote to memory of 4324 3460 spools.exe 104 PID 3460 wrote to memory of 4324 3460 spools.exe 104 PID 3460 wrote to memory of 4324 3460 spools.exe 104 PID 3460 wrote to memory of 4324 3460 spools.exe 104 PID 4324 wrote to memory of 2628 4324 spools.exe 107 PID 4324 wrote to memory of 2628 4324 spools.exe 107 PID 4324 wrote to memory of 2628 4324 spools.exe 107 PID 2628 wrote to memory of 3132 2628 spools.exe 108 PID 2628 wrote to memory of 3132 2628 spools.exe 108 PID 2628 wrote to memory of 3132 2628 spools.exe 108 PID 2628 wrote to memory of 3132 2628 spools.exe 108 PID 2628 wrote to memory of 3132 2628 spools.exe 108 PID 2628 wrote to memory of 3132 2628 spools.exe 108 PID 2628 wrote to memory of 3132 2628 spools.exe 108 PID 3132 wrote to memory of 3964 3132 spools.exe 112 PID 3132 wrote to memory of 3964 3132 spools.exe 112 PID 3132 wrote to memory of 3964 3132 spools.exe 112 PID 3964 wrote to memory of 3332 3964 spools.exe 113 PID 3964 wrote to memory of 3332 3964 spools.exe 113 PID 3964 wrote to memory of 3332 3964 spools.exe 113 PID 3964 wrote to memory of 3332 3964 spools.exe 113 PID 3964 wrote to memory of 3332 3964 spools.exe 113 PID 3964 wrote to memory of 3332 3964 spools.exe 113 PID 3964 wrote to memory of 3332 3964 spools.exe 113 PID 3332 wrote to memory of 3908 3332 spools.exe 116 PID 3332 wrote to memory of 3908 3332 spools.exe 116 PID 3332 wrote to memory of 3908 3332 spools.exe 116 PID 3908 wrote to memory of 4000 3908 spools.exe 119 PID 3908 wrote to memory of 4000 3908 spools.exe 119 PID 3908 wrote to memory of 4000 3908 spools.exe 119 PID 3908 wrote to memory of 4000 3908 spools.exe 119 PID 3908 wrote to memory of 4000 3908 spools.exe 119 PID 3908 wrote to memory of 4000 3908 spools.exe 119 PID 3908 wrote to memory of 4000 3908 spools.exe 119 PID 4000 wrote to memory of 944 4000 spools.exe 122 PID 4000 wrote to memory of 944 4000 spools.exe 122 PID 4000 wrote to memory of 944 4000 spools.exe 122 PID 944 wrote to memory of 3272 944 spools.exe 123 PID 944 wrote to memory of 3272 944 spools.exe 123 PID 944 wrote to memory of 3272 944 spools.exe 123 PID 944 wrote to memory of 3272 944 spools.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba23e051091480c533eb482ff49ebc0e_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3272 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3016 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"20⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3700 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2320 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1960 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3812 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4632 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1232 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3440 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:452 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3812 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"46⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2924 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1048 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3496 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"54⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4416 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1060 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3000 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3612 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3080 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4304 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5048 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3988 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"67⤵
- Suspicious use of SetThreadContext
PID:2232 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"68⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"69⤵
- Suspicious use of SetThreadContext
PID:4416 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"70⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"71⤵
- Suspicious use of SetThreadContext
PID:1156 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"72⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"73⤵
- Suspicious use of SetThreadContext
PID:1712 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"75⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"76⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"77⤵
- Suspicious use of SetThreadContext
PID:4948 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"78⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"79⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"80⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"81⤵
- Suspicious use of SetThreadContext
PID:4092 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"82⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"83⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"84⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"85⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3688 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"86⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"87⤵
- Suspicious use of SetThreadContext
PID:676 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"88⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"89⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"90⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"91⤵
- Suspicious use of SetThreadContext
PID:2444 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"92⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"93⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"94⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"95⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"96⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3148 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"97⤵
- Suspicious use of SetThreadContext
PID:2408 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"98⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"99⤵
- Suspicious use of SetThreadContext
PID:448 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"100⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"101⤵
- Suspicious use of SetThreadContext
PID:3900 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"102⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"103⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"104⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"105⤵
- Suspicious use of SetThreadContext
PID:648 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"106⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"107⤵
- Suspicious use of SetThreadContext
PID:2156 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"109⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"110⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"111⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"112⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4440 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"113⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3904 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"114⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"115⤵
- Suspicious use of SetThreadContext
PID:4416 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"116⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"117⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"118⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3436 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"119⤵
- Suspicious use of SetThreadContext
PID:2688 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\SysWOW64\spools.exe"120⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\SysWOW64\spools.exe"C:\Windows\system32\spools.exe"121⤵
- Suspicious use of SetThreadContext
PID:4420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-