pony | a318d28d5521939e526489bbacc79fbf9ad04dab0a441444f1203012a4a7d8b6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
Size

2.2MB
MD5

046a6b51f587a18a7886e21d45112d4e
SHA1

86bbcf5a75901b14a3c8095f08228f69a6f3c3ec
SHA256

a318d28d5521939e526489bbacc79fbf9ad04dab0a441444f1203012a4a7d8b6
SHA512

c112129eafec3745d0a53f89936a00c1da84e64f99bd4c8131dc4fb6dd1e8797efc7c43e68bc2ebe0f5045f7f5ea37fed77c0e54aa9632354db7d0ea278d6cb0
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWwwU

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1712	explorer.exe
316	explorer.exe
4952	spoolsv.exe
2068	spoolsv.exe
3736	spoolsv.exe
1496	spoolsv.exe
2912	spoolsv.exe
2776	spoolsv.exe
1792	spoolsv.exe
3380	spoolsv.exe
1092	spoolsv.exe
2216	spoolsv.exe
4948	spoolsv.exe
4020	spoolsv.exe
3452	spoolsv.exe
792	spoolsv.exe
2584	spoolsv.exe
4056	spoolsv.exe
4460	spoolsv.exe
4540	spoolsv.exe
4520	spoolsv.exe
3408	spoolsv.exe
4296	spoolsv.exe
5116	spoolsv.exe
4712	spoolsv.exe
1036	spoolsv.exe
4632	spoolsv.exe
5076	spoolsv.exe
4912	spoolsv.exe
764	spoolsv.exe
2712	spoolsv.exe
916	spoolsv.exe
4708	spoolsv.exe
1768	spoolsv.exe
1076	spoolsv.exe
4700	spoolsv.exe
1908	spoolsv.exe
4900	spoolsv.exe
4120	spoolsv.exe
4140	spoolsv.exe
1540	explorer.exe
452	spoolsv.exe
1200	spoolsv.exe
852	spoolsv.exe
2296	spoolsv.exe
4628	spoolsv.exe
3120	spoolsv.exe
4904	spoolsv.exe
1004	spoolsv.exe
2192	spoolsv.exe
3068	spoolsv.exe
1884	spoolsv.exe
1632	explorer.exe
2452	spoolsv.exe
1660	spoolsv.exe
3684	spoolsv.exe
1588	spoolsv.exe
552	spoolsv.exe
4812	spoolsv.exe
4336	spoolsv.exe
3732	spoolsv.exe
1188	spoolsv.exe
2472	spoolsv.exe
1684	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 41 IoCs

Processes:

description	pid	process	target process
PID 5056 set thread context of 1028	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
PID 1712 set thread context of 316	1712	explorer.exe	explorer.exe
PID 4952 set thread context of 4140	4952	spoolsv.exe	spoolsv.exe
PID 2068 set thread context of 452	2068	spoolsv.exe	spoolsv.exe
PID 3736 set thread context of 1200	3736	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 2296	1496	spoolsv.exe	spoolsv.exe
PID 2912 set thread context of 4628	2912	spoolsv.exe	spoolsv.exe
PID 2776 set thread context of 3120	2776	spoolsv.exe	spoolsv.exe
PID 1792 set thread context of 4904	1792	spoolsv.exe	spoolsv.exe
PID 3380 set thread context of 1004	3380	spoolsv.exe	spoolsv.exe
PID 1092 set thread context of 2192	1092	spoolsv.exe	spoolsv.exe
PID 2216 set thread context of 3068	2216	spoolsv.exe	spoolsv.exe
PID 4948 set thread context of 1884	4948	spoolsv.exe	spoolsv.exe
PID 4020 set thread context of 2452	4020	spoolsv.exe	spoolsv.exe
PID 3452 set thread context of 3684	3452	spoolsv.exe	spoolsv.exe
PID 792 set thread context of 1588	792	spoolsv.exe	spoolsv.exe
PID 2584 set thread context of 552	2584	spoolsv.exe	spoolsv.exe
PID 4056 set thread context of 4812	4056	spoolsv.exe	spoolsv.exe
PID 4460 set thread context of 4336	4460	spoolsv.exe	spoolsv.exe
PID 4540 set thread context of 3732	4540	spoolsv.exe	spoolsv.exe
PID 4520 set thread context of 1188	4520	spoolsv.exe	spoolsv.exe
PID 4296 set thread context of 3812	4296	spoolsv.exe	spoolsv.exe
PID 5116 set thread context of 1944	5116	spoolsv.exe	spoolsv.exe
PID 4712 set thread context of 532	4712	spoolsv.exe	spoolsv.exe
PID 1036 set thread context of 968	1036	spoolsv.exe	spoolsv.exe
PID 4632 set thread context of 3296	4632	spoolsv.exe	spoolsv.exe
PID 5076 set thread context of 3576	5076	spoolsv.exe	spoolsv.exe
PID 4912 set thread context of 3052	4912	spoolsv.exe	spoolsv.exe
PID 764 set thread context of 4468	764	spoolsv.exe	spoolsv.exe
PID 2712 set thread context of 2684	2712	spoolsv.exe	spoolsv.exe
PID 916 set thread context of 5084	916	spoolsv.exe	spoolsv.exe
PID 4708 set thread context of 1104	4708	spoolsv.exe	spoolsv.exe
PID 1768 set thread context of 2436	1768	spoolsv.exe	spoolsv.exe
PID 1076 set thread context of 212	1076	spoolsv.exe	spoolsv.exe
PID 4700 set thread context of 3520	4700	spoolsv.exe	spoolsv.exe
PID 1908 set thread context of 636	1908	spoolsv.exe	spoolsv.exe
PID 4900 set thread context of 3060	4900	spoolsv.exe	spoolsv.exe
PID 4120 set thread context of 952	4120	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 4288	1540	explorer.exe	explorer.exe
PID 852 set thread context of 2700	852	spoolsv.exe	spoolsv.exe
PID 1632 set thread context of 4308	1632	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exeexplorer.exe

pid	process
1028	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
1028	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

316 explorer.exe

pid	process
316	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1028	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
1028	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
316	explorer.exe
4140	spoolsv.exe
4140	spoolsv.exe
452	spoolsv.exe
452	spoolsv.exe
1200	spoolsv.exe
1200	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
4628	spoolsv.exe
4628	spoolsv.exe
3120	spoolsv.exe
3120	spoolsv.exe
4904	spoolsv.exe
4904	spoolsv.exe
1004	spoolsv.exe
1004	spoolsv.exe
2192	spoolsv.exe
2192	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
1884	spoolsv.exe
1884	spoolsv.exe
2452	spoolsv.exe
2452	spoolsv.exe
3684	spoolsv.exe
3684	spoolsv.exe
1588	spoolsv.exe
1588	spoolsv.exe
552	spoolsv.exe
552	spoolsv.exe
4812	spoolsv.exe
4812	spoolsv.exe
4336	spoolsv.exe
4336	spoolsv.exe
3732	spoolsv.exe
3732	spoolsv.exe
1188	spoolsv.exe
1188	spoolsv.exe
2472	spoolsv.exe
2472	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
1944	spoolsv.exe
1944	spoolsv.exe
532	spoolsv.exe
532	spoolsv.exe
968	spoolsv.exe
968	spoolsv.exe
3296	spoolsv.exe
3296	spoolsv.exe
3576	spoolsv.exe
3576	spoolsv.exe
3052	spoolsv.exe
3052	spoolsv.exe
4468	spoolsv.exe
4468	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 5056 wrote to memory of 3900	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	splwow64.exe
PID 5056 wrote to memory of 3900	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	splwow64.exe
PID 5056 wrote to memory of 1028	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
PID 5056 wrote to memory of 1028	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
PID 5056 wrote to memory of 1028	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
PID 5056 wrote to memory of 1028	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
PID 5056 wrote to memory of 1028	5056	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
PID 1028 wrote to memory of 1712	1028	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	explorer.exe
PID 1028 wrote to memory of 1712	1028	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	explorer.exe
PID 1028 wrote to memory of 1712	1028	046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe	explorer.exe
PID 1712 wrote to memory of 316	1712	explorer.exe	explorer.exe
PID 1712 wrote to memory of 316	1712	explorer.exe	explorer.exe
PID 1712 wrote to memory of 316	1712	explorer.exe	explorer.exe
PID 1712 wrote to memory of 316	1712	explorer.exe	explorer.exe
PID 1712 wrote to memory of 316	1712	explorer.exe	explorer.exe
PID 316 wrote to memory of 4952	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4952	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4952	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2068	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2068	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2068	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3736	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3736	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3736	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1496	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1496	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1496	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2912	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2912	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2912	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2776	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2776	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2776	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1792	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1792	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1792	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3380	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3380	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3380	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1092	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1092	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 1092	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2216	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2216	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2216	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4948	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4948	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4948	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4020	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4020	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4020	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3452	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3452	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 3452	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 792	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 792	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 792	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2584	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2584	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 2584	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4056	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4056	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4056	316	explorer.exe	spoolsv.exe
PID 316 wrote to memory of 4460	316	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\046a6b51f587a18a7886e21d45112d4e_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4140

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1540

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2068

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3736

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1496

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2912

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2776

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1792

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3380

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1092

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2216

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4948

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1884

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1632

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4020

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3452

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:792

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2584

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4056

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4460

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4540

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4520

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3408

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4296

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3812

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:440

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5116

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4712

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1036

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4632

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5076

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4912

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:764

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4468

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4552

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2712

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:916

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4708

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1768

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1076

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:212

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1244

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4700

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1908

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4900

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4120

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:952

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2404

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:6064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:852

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2700

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2952

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1660

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4424

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1684

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1956

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5332

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5040

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5176

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4144

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:216

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4236

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3980

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3524

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1060

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4592

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5096

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4072

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1460

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1476

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5476

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3192

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
d22df1d6ebd89d3bfe5f4fc15fb00c21

SHA1
87685bbcd3d2e5cb6e7cdd052617349fa6b7c0b9

SHA256
ddd492764f4e8ee490612a9f40b26115d773d510c2a115987e120ed71012757f

SHA512
c8122c391de7dd4423668c8fdd1a064b485923e071da11b32872cbe21a46297dee1e9325050aac816529adcae871bd522b2c963629d558d92e1748729a05a063

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
2.2MB

MD5
bf27c46cfdc63bda9f3736ccfee1471a

SHA1
42ac6768d9c5582100fd81974ed4097167c09ba0

SHA256
033f306c149bd72941c932a966b52045380e684e2f5630bce2b6f27ab1e27d44

SHA512
be3178e5e68a7ab13c0723e3f4ba7faaa406d335d1bfb318367d28ca5fe1fa6d0db8392b562d4f11dc51a87ba5b5557c799304d89f56c0cca7706edc2f5193ea

Download Submit
memory/208-6133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/212-3516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/316-1045-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/316-86-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-2436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-3029-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-2826-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-5413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/792-1831-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/968-3039-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-2578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-67-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1028-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-2426-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1092-1639-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1104-3208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-3212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1188-2869-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1200-2446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1200-2449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-1299-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1588-2818-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-2813-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-80-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1712-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1792-1447-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1884-2914-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-2704-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-6091-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2068-2438-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2068-1297-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2076-6124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-2587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-1640-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2296-2532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-2714-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-2874-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-2881-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-5405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-1832-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2700-4501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-4588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-1446-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2912-1445-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3052-3067-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-3396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-3398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-2556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-3048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-3051-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-1448-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3408-2261-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3452-1830-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3520-3379-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-2804-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3732-2857-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-1298-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3736-2447-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3812-3007-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-1829-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4056-2081-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4140-2427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-2637-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-4352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-2265-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4308-4984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4336-2847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-5099-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-4992-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-2082-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4468-3178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-3354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-2260-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4540-2083-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4628-2546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-2435-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4712-2425-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4812-2836-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-2567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-1641-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4952-2428-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4952-1046-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5056-28-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/5056-32-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5056-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5056-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/5076-2443-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5084-3200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-2266-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5172-6081-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5176-5928-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5208-6103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5332-5695-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-5722-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5476-6147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5988-6039-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6064-6063-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download