pony | b28dd3a787364975e6f6fb47c2497c765b9015b2d595033dc934fd09430d5ad4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
Size

2.2MB
MD5

0421728aa1023b96c1ac4f2b649d4cd0
SHA1

1b99703d1c8afbd8d5cfcea3edf8f4be23d8945c
SHA256

b28dd3a787364975e6f6fb47c2497c765b9015b2d595033dc934fd09430d5ad4
SHA512

ac024c23ea808a93155563507e5657e2b4fb0f90f76e44e2db423c60b7df5724f729c5317ca1f59329f6138d1560bcac4000b1dd4c0d98ad18f845d9af677ea6
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWww8

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

pid	process
3516	explorer.exe
3764	explorer.exe
4136	spoolsv.exe
2372	spoolsv.exe
3596	spoolsv.exe
4548	spoolsv.exe
4676	spoolsv.exe
1036	spoolsv.exe
4456	spoolsv.exe
4728	spoolsv.exe
1456	spoolsv.exe
2832	spoolsv.exe
372	spoolsv.exe
388	spoolsv.exe
3584	spoolsv.exe
4588	spoolsv.exe
544	spoolsv.exe
404	spoolsv.exe
3812	spoolsv.exe
1408	spoolsv.exe
3196	spoolsv.exe
452	spoolsv.exe
1248	spoolsv.exe
4420	spoolsv.exe
4508	spoolsv.exe
4884	spoolsv.exe
4840	spoolsv.exe
1716	spoolsv.exe
60	spoolsv.exe
2952	spoolsv.exe
3060	spoolsv.exe
1256	spoolsv.exe
2672	spoolsv.exe
3476	spoolsv.exe
3256	spoolsv.exe
3032	spoolsv.exe
2396	spoolsv.exe
3308	spoolsv.exe
3416	explorer.exe
3604	spoolsv.exe
3992	spoolsv.exe
1592	spoolsv.exe
4912	spoolsv.exe
4140	spoolsv.exe
2380	spoolsv.exe
432	spoolsv.exe
1884	spoolsv.exe
224	spoolsv.exe
4040	explorer.exe
3772	spoolsv.exe
376	spoolsv.exe
2972	spoolsv.exe
3976	spoolsv.exe
3652	spoolsv.exe
3288	spoolsv.exe
4836	spoolsv.exe
3968	spoolsv.exe
2328	spoolsv.exe
4908	spoolsv.exe
2156	spoolsv.exe
208	spoolsv.exe
1032	explorer.exe
3636	spoolsv.exe
2456	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 61 IoCs

Processes:

0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 4964 set thread context of 744	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
PID 3516 set thread context of 3764	3516	explorer.exe	explorer.exe
PID 4136 set thread context of 3308	4136	spoolsv.exe	spoolsv.exe
PID 2372 set thread context of 3604	2372	spoolsv.exe	spoolsv.exe
PID 3596 set thread context of 3992	3596	spoolsv.exe	spoolsv.exe
PID 4548 set thread context of 1592	4548	spoolsv.exe	spoolsv.exe
PID 4676 set thread context of 4140	4676	spoolsv.exe	spoolsv.exe
PID 1036 set thread context of 2380	1036	spoolsv.exe	spoolsv.exe
PID 4456 set thread context of 432	4456	spoolsv.exe	spoolsv.exe
PID 4728 set thread context of 1884	4728	spoolsv.exe	spoolsv.exe
PID 1456 set thread context of 224	1456	spoolsv.exe	spoolsv.exe
PID 2832 set thread context of 3772	2832	spoolsv.exe	spoolsv.exe
PID 372 set thread context of 376	372	spoolsv.exe	spoolsv.exe
PID 388 set thread context of 2972	388	spoolsv.exe	spoolsv.exe
PID 3584 set thread context of 3976	3584	spoolsv.exe	spoolsv.exe
PID 4588 set thread context of 3652	4588	spoolsv.exe	spoolsv.exe
PID 544 set thread context of 4836	544	spoolsv.exe	spoolsv.exe
PID 404 set thread context of 3968	404	spoolsv.exe	spoolsv.exe
PID 3812 set thread context of 2328	3812	spoolsv.exe	spoolsv.exe
PID 1408 set thread context of 4908	1408	spoolsv.exe	spoolsv.exe
PID 3196 set thread context of 2156	3196	spoolsv.exe	spoolsv.exe
PID 452 set thread context of 208	452	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 2456	1248	spoolsv.exe	spoolsv.exe
PID 4420 set thread context of 2060	4420	spoolsv.exe	spoolsv.exe
PID 4508 set thread context of 2272	4508	spoolsv.exe	spoolsv.exe
PID 4884 set thread context of 3956	4884	spoolsv.exe	spoolsv.exe
PID 4840 set thread context of 4312	4840	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 5084	1716	spoolsv.exe	spoolsv.exe
PID 60 set thread context of 2264	60	spoolsv.exe	spoolsv.exe
PID 2952 set thread context of 708	2952	spoolsv.exe	spoolsv.exe
PID 3060 set thread context of 2468	3060	spoolsv.exe	spoolsv.exe
PID 1256 set thread context of 3792	1256	spoolsv.exe	spoolsv.exe
PID 2672 set thread context of 3856	2672	spoolsv.exe	spoolsv.exe
PID 3476 set thread context of 3844	3476	spoolsv.exe	spoolsv.exe
PID 3256 set thread context of 1852	3256	spoolsv.exe	spoolsv.exe
PID 3032 set thread context of 3372	3032	spoolsv.exe	spoolsv.exe
PID 2396 set thread context of 3612	2396	spoolsv.exe	spoolsv.exe
PID 3416 set thread context of 3548	3416	explorer.exe	explorer.exe
PID 4912 set thread context of 3816	4912	spoolsv.exe	spoolsv.exe
PID 4040 set thread context of 5040	4040	explorer.exe	explorer.exe
PID 3288 set thread context of 1616	3288	spoolsv.exe	spoolsv.exe
PID 1032 set thread context of 4424	1032	explorer.exe	explorer.exe
PID 3636 set thread context of 3252	3636	spoolsv.exe	spoolsv.exe
PID 2524 set thread context of 4232	2524	explorer.exe	explorer.exe
PID 4216 set thread context of 4784	4216	spoolsv.exe	spoolsv.exe
PID 4992 set thread context of 4380	4992	explorer.exe	explorer.exe
PID 1040 set thread context of 4316	1040	spoolsv.exe	spoolsv.exe
PID 1416 set thread context of 228	1416	spoolsv.exe	spoolsv.exe
PID 4204 set thread context of 2128	4204	explorer.exe	explorer.exe
PID 1260 set thread context of 4220	1260	spoolsv.exe	spoolsv.exe
PID 468 set thread context of 2212	468	spoolsv.exe	spoolsv.exe
PID 2292 set thread context of 3068	2292	spoolsv.exe	spoolsv.exe
PID 3460 set thread context of 2920	3460	explorer.exe	explorer.exe
PID 876 set thread context of 3056	876	spoolsv.exe	spoolsv.exe
PID 2192 set thread context of 1800	2192	spoolsv.exe	spoolsv.exe
PID 4832 set thread context of 2184	4832	spoolsv.exe	spoolsv.exe
PID 1316 set thread context of 2216	1316	spoolsv.exe	spoolsv.exe
PID 2332 set thread context of 3280	2332	spoolsv.exe	spoolsv.exe
PID 624 set thread context of 1148	624	spoolsv.exe	spoolsv.exe
PID 5076 set thread context of 1856	5076	spoolsv.exe	spoolsv.exe
PID 4704 set thread context of 528	4704	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exeexplorer.exe

pid	process
744	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
744	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3764 explorer.exe

pid	process
3764	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
744	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
744	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3764	explorer.exe
3308	spoolsv.exe
3308	spoolsv.exe
3604	spoolsv.exe
3604	spoolsv.exe
3992	spoolsv.exe
3992	spoolsv.exe
1592	spoolsv.exe
1592	spoolsv.exe
4140	spoolsv.exe
4140	spoolsv.exe
2380	spoolsv.exe
2380	spoolsv.exe
432	spoolsv.exe
432	spoolsv.exe
1884	spoolsv.exe
1884	spoolsv.exe
224	spoolsv.exe
224	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
376	spoolsv.exe
376	spoolsv.exe
2972	spoolsv.exe
2972	spoolsv.exe
3976	spoolsv.exe
3976	spoolsv.exe
3652	spoolsv.exe
3652	spoolsv.exe
4836	spoolsv.exe
4836	spoolsv.exe
3968	spoolsv.exe
3968	spoolsv.exe
2328	spoolsv.exe
2328	spoolsv.exe
4908	spoolsv.exe
4908	spoolsv.exe
2156	spoolsv.exe
2156	spoolsv.exe
208	spoolsv.exe
208	spoolsv.exe
2456	spoolsv.exe
2456	spoolsv.exe
2060	spoolsv.exe
2060	spoolsv.exe
2272	spoolsv.exe
2272	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
4312	spoolsv.exe
4312	spoolsv.exe
5084	spoolsv.exe
5084	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
708	spoolsv.exe
708	spoolsv.exe
2468	spoolsv.exe
2468	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4964 wrote to memory of 4644	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	splwow64.exe
PID 4964 wrote to memory of 4644	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	splwow64.exe
PID 4964 wrote to memory of 744	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
PID 4964 wrote to memory of 744	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
PID 4964 wrote to memory of 744	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
PID 4964 wrote to memory of 744	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
PID 4964 wrote to memory of 744	4964	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
PID 744 wrote to memory of 3516	744	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	explorer.exe
PID 744 wrote to memory of 3516	744	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	explorer.exe
PID 744 wrote to memory of 3516	744	0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe	explorer.exe
PID 3516 wrote to memory of 3764	3516	explorer.exe	explorer.exe
PID 3516 wrote to memory of 3764	3516	explorer.exe	explorer.exe
PID 3516 wrote to memory of 3764	3516	explorer.exe	explorer.exe
PID 3516 wrote to memory of 3764	3516	explorer.exe	explorer.exe
PID 3516 wrote to memory of 3764	3516	explorer.exe	explorer.exe
PID 3764 wrote to memory of 4136	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4136	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4136	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 2372	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 2372	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 2372	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 3596	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 3596	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 3596	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4548	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4548	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4548	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4676	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4676	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4676	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 1036	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 1036	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 1036	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4456	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4456	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4456	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4728	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4728	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4728	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 1456	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 1456	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 1456	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 2832	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 2832	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 2832	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 372	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 372	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 372	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 388	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 388	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 388	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 3584	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 3584	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 3584	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4588	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4588	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 4588	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 544	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 544	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 544	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 404	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 404	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 404	3764	explorer.exe	spoolsv.exe
PID 3764 wrote to memory of 3812	3764	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0421728aa1023b96c1ac4f2b649d4cd0_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3516

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4136

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3308

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3416

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2372

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3596

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4548

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4676

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1036

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4456

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4728

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1456

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4040

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2832

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:372

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:388

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3584

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4588

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:544

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:404

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3812

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1408

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3196

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:452

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:208

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1032

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1248

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4420

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4508

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4884

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4840

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4312

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2524

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1716

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:60

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3060

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2468

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:4992

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1256

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2672

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3476

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3256

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3032

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3372

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4204

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2396

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3612

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:3460

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4912

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3816

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4704

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3288

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1616

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3636

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3252

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:4216

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4784

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1040

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4316

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1416

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1260

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:468

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:2292

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3068

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:876

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2192

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4832

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1316

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2216

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:2332

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:624

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1148

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5076

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3184

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2460

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4116

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
4ff3dbf8ad536d407622010fc76bf2f4

SHA1
389f2cd4ca5d6a4bf2e4aadf93fba125ce4da4c9

SHA256
291a9a03513bc1517eccc643dd9fea664bdce2843dcfc3dfcc408bb6eb99bf02

SHA512
37cc5da07143518f446341cfe3e44034a9ecd28368ed17c70ecb546af8fd319dc066b35fa322bbbe327d2408229aaab32a6758100006cc432a105d27357d55d8

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
9c41a2137bb1236a12ffaa54bddd7da6

SHA1
1995633072deb929c62f0eea695ae2da3f9a440a

SHA256
0291bdfcd9eefc6c580efce7e36f2aade6195480c9cc30fb3d2a1754b31ef669

SHA512
d148f72729038e80d1ddedb24d40dc0c960d1d01c928afa8c42f0fadf44bc8dcb5b9af2a08c07436c0fbd4171f848a3ddabe85a90df9833dc5c05b90f1b08a85

Download Submit
memory/208-2835-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/208-3006-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-2810-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/228-5491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/228-5498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-1635-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/376-2609-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-1858-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/404-2075-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/432-2503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-2506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-2261-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/528-6123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-1861-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/708-3132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-1435-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1148-6103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-2262-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1408-2077-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1456-1633-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1592-2404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-4774-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-4647-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1716-2365-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1852-3350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-6113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-2517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-2513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-5505-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-5797-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-5895-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-3121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-2745-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-1246-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2372-2351-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2380-2493-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-2934-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-3222-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-3381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-1634-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2920-5712-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2972-2617-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2972-2621-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-5720-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-5871-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-5702-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-2260-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3252-4982-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-5975-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3308-2556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3308-2348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-3469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-3572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-120-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3516-115-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3548-4002-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3584-1859-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3596-2371-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3596-1247-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3604-2356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3612-3820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-2705-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-1044-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-2596-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-2599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3792-3321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3812-2076-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3816-4351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-3339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-3343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-3331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3968-2736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-2629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-2370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-2368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4136-2343-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4136-1045-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4140-2480-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-5594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-5228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-3206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-5484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-5475-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-2346-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4424-4859-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-1436-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4508-2347-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4532-6141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-1248-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4588-1860-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4676-1249-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4728-1437-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4784-5376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-5267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-2725-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-2359-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4884-2358-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4964-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4964-58-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4964-53-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4964-51-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5040-4559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-3114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-3109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download