Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2024, 21:15

General

  • Target

    001795a3ef48c4087944786735b2757d_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    001795a3ef48c4087944786735b2757d

  • SHA1

    11f83d76658d51e7ccb8ac04bc918a0527f1b29d

  • SHA256

    5ebd7cd6db36a110758dfec2d9d7b813f8d9d6212c82ae32764cd9af65520d55

  • SHA512

    cd335858c96360beedfdc9b66e418529e5f22460e397695c5e031df2eef00df56bb81d749e1059857f552c1417d541d36f03cf28dfb40b8f900c06f8d59bc4ba

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwJ

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 44 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\001795a3ef48c4087944786735b2757d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\001795a3ef48c4087944786735b2757d_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3172
      • C:\Users\Admin\AppData\Local\Temp\001795a3ef48c4087944786735b2757d_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\001795a3ef48c4087944786735b2757d_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4220
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2848
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4296
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:960
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5628
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:4324
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2064
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:6064
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:916
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:6140
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2736
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4956
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4248
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5524
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3956
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:6024
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4704
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5760
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2080
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1236
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1656
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2896
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3196
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1356
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3412
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5024
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4400
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5936
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3124
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:6044
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:948
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:6108
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4804
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1168
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4608
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5900
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2912
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4760
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:5028
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:684
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1492
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:5256
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1556
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:5164
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2272
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:5412
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4768
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:5316
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4132
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:4320
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4284
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:2380
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2852
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3484
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2000
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:2460
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2560
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:4392
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:5188
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:4964
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:5560
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3284
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:5884
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                  PID:5080
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:392
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                    PID:5092
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:5472
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                      PID:5512
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:5784
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                        PID:3392
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      PID:1900
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                          PID:5624
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        PID:4024
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                            PID:3568
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Drops file in Windows directory
                          PID:5844
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                              PID:4224
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            PID:5244
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                                PID:4100
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Drops file in Windows directory
                              PID:5752
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                  PID:5376
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                PID:5184
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                    PID:1984
                                • \??\c:\windows\system\spoolsv.exe
                                  c:\windows\system\spoolsv.exe SE
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Windows directory
                                  PID:5680
                                  • \??\c:\windows\system\spoolsv.exe
                                    "c:\windows\system\spoolsv.exe"
                                    6⤵
                                      PID:4092
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Windows directory
                                    PID:3220
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5300
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Windows directory
                                    PID:5644
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                        PID:2904
                                        • \??\c:\windows\system\explorer.exe
                                          c:\windows\system\explorer.exe
                                          7⤵
                                          • Drops file in Windows directory
                                          PID:4352
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      PID:5956
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      PID:5140
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:2696
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:872
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:5716
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:6084
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:448
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:4980
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                        PID:5728
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:60
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:6120
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:1876
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:3784
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:1020
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:2520
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:656
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:4208
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:3280
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:3808
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:812
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:5688
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Drops file in Windows directory
                                        PID:3684
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                          PID:5580
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                            PID:5808
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                              PID:5912
                                            • \??\c:\windows\system\spoolsv.exe
                                              c:\windows\system\spoolsv.exe SE
                                              5⤵
                                                PID:4908
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                  PID:5788
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                    PID:1864
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                            1⤵
                                              PID:1600

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Windows\Parameters.ini

                                                    Filesize

                                                    74B

                                                    MD5

                                                    6687785d6a31cdf9a5f80acb3abc459b

                                                    SHA1

                                                    1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                                                    SHA256

                                                    3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                                                    SHA512

                                                    5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                                                  • C:\Windows\System\explorer.exe

                                                    Filesize

                                                    2.2MB

                                                    MD5

                                                    2dc9648a887832a1356c7380bbb7b058

                                                    SHA1

                                                    fe2afed460b5821d7aed38a768a8576a6e02c2cb

                                                    SHA256

                                                    b4f8f562d5fca690b48c52b889e4cf629d2c4d6f954f14504f4aa07e26b896ec

                                                    SHA512

                                                    0e93c76ec15d7e97432b3c9773498a07137f40a7fbca76c17eb8d043e6c517ba340c45eb68ded187ab4eac40ae93ebc85c91c87476f6a8517b55f214d045de7d

                                                  • C:\Windows\System\spoolsv.exe

                                                    Filesize

                                                    2.2MB

                                                    MD5

                                                    7a3112ce72dfcb7ef13154732d480221

                                                    SHA1

                                                    6d59a0b7c70128a73bfa2a2bf318b2f2b3b33142

                                                    SHA256

                                                    b9961cce3a7ea2264ddfcb2998998d886c8d4ba74e26b389b2ab0fd339dbe934

                                                    SHA512

                                                    bb8bbd469389bb14a5e3cb8003ba097cfd88a6c7b1ef58dfa312108365fd7bef60773bbd83f03faa262c891d50978ba35386cd898bfe4225c633d7cabade2cc0

                                                  • memory/392-2167-0x0000000000750000-0x0000000000751000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/916-1793-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/916-917-0x0000000000650000-0x0000000000651000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/916-197-0x0000000000650000-0x0000000000651000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/948-2240-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/960-774-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/960-107-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/960-1251-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/960-2975-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/1492-1325-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1492-2022-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1492-2370-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/1556-1402-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1556-2438-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/1556-2103-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1656-2101-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/1656-1324-0x0000000000960000-0x0000000000961000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1656-654-0x0000000000960000-0x0000000000961000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1900-2377-0x00000000007A0000-0x00000000007A1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2000-2733-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2064-147-0x0000000000690000-0x0000000000691000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2064-850-0x0000000000690000-0x0000000000691000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2064-1669-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2080-2100-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2080-577-0x0000000000770000-0x0000000000771000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2080-1252-0x0000000000770000-0x0000000000771000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2272-2166-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2272-2439-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2272-1469-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2560-1872-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2560-2583-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2560-2734-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2736-979-0x0000000000720000-0x0000000000721000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2736-269-0x0000000000720000-0x0000000000721000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2736-1794-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2848-97-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2848-93-0x00000000006C0000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2848-57-0x00000000006C0000-0x00000000006C1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2848-91-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2852-1742-0x0000000002450000-0x0000000002451000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2852-2441-0x0000000002450000-0x0000000002451000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2852-2582-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/2912-1191-0x0000000000860000-0x0000000000861000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2912-1871-0x0000000000860000-0x0000000000861000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2912-2300-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/3124-2239-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/3124-918-0x0000000000680000-0x0000000000681000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3124-1597-0x0000000000680000-0x0000000000681000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3196-1401-0x0000000000750000-0x0000000000751000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3196-2102-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/3196-712-0x0000000000750000-0x0000000000751000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3412-775-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3412-2165-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/3412-1468-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3956-433-0x0000000000650000-0x0000000000651000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3956-1117-0x0000000000650000-0x0000000000651000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/3956-2021-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4132-2503-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4132-2306-0x0000000002300000-0x0000000002301000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4132-1598-0x0000000002300000-0x0000000002301000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4220-80-0x0000000000400000-0x000000000043E000-memory.dmp

                                                    Filesize

                                                    248KB

                                                  • memory/4220-79-0x0000000000440000-0x0000000000509000-memory.dmp

                                                    Filesize

                                                    804KB

                                                  • memory/4220-44-0x0000000000400000-0x000000000043E000-memory.dmp

                                                    Filesize

                                                    248KB

                                                  • memory/4220-46-0x0000000000400000-0x000000000043E000-memory.dmp

                                                    Filesize

                                                    248KB

                                                  • memory/4248-1943-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4248-346-0x00000000020C0000-0x00000000020C1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4248-1060-0x00000000020C0000-0x00000000020C1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4284-1670-0x00000000006D0000-0x00000000006D1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4284-2371-0x00000000006D0000-0x00000000006D1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4284-2504-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4296-711-0x0000000000400000-0x000000000043E000-memory.dmp

                                                    Filesize

                                                    248KB

                                                  • memory/4296-98-0x0000000000400000-0x000000000043E000-memory.dmp

                                                    Filesize

                                                    248KB

                                                  • memory/4324-41-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4324-0-0x0000000002470000-0x0000000002471000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4324-43-0x0000000002470000-0x0000000002471000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4324-48-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4400-2168-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4400-851-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4400-1530-0x0000000000760000-0x0000000000761000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4608-1795-0x0000000000750000-0x0000000000751000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4608-1118-0x0000000000750000-0x0000000000751000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4608-2299-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4704-1190-0x0000000002110000-0x0000000002111000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4704-495-0x0000000002110000-0x0000000002111000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4704-2099-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4768-1531-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4768-2246-0x0000000002200000-0x0000000002201000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4768-2440-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4804-2298-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/4804-1061-0x0000000000860000-0x0000000000861000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4804-1741-0x0000000000860000-0x0000000000861000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5028-1253-0x0000000000750000-0x0000000000751000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5028-1944-0x0000000000750000-0x0000000000751000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5028-2369-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/5188-1945-0x0000000002310000-0x0000000002311000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5188-2666-0x0000000002310000-0x0000000002311000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5188-2793-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/5244-2584-0x0000000000960000-0x0000000000961000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5560-2023-0x0000000002210000-0x0000000002211000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5560-2877-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB

                                                  • memory/5784-2307-0x0000000002300000-0x0000000002301000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5844-2505-0x0000000000710000-0x0000000000711000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5884-2104-0x0000000000690000-0x0000000000691000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5884-2985-0x0000000000400000-0x00000000005D3000-memory.dmp

                                                    Filesize

                                                    1.8MB