pony | 30aa783d70820926e668737bea5c8462b1fc72dc04a5378cf43ca8c1a5783be1

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
Size

2.2MB
MD5

04b0fd4f6bf3d89cb9c8bd9e7da279e6
SHA1

5b88eadbb28bd5bb1251b1cee96999a919f7f209
SHA256

30aa783d70820926e668737bea5c8462b1fc72dc04a5378cf43ca8c1a5783be1
SHA512

7aad3666e72be2de3b731b22fc9c60e4a0f60b4c51c3d15b8da06c42e1149daa647614890c6b569243ec096820cfd2d05540be951da3f23556ee85f678a94ae3
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ5:0UzeyQMS4DqodCnoe+iitjWwwd

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3268	explorer.exe
3320	explorer.exe
4092	spoolsv.exe
4724	spoolsv.exe
3748	spoolsv.exe
2780	spoolsv.exe
4504	spoolsv.exe
1808	spoolsv.exe
4760	spoolsv.exe
1388	spoolsv.exe
3956	spoolsv.exe
4764	spoolsv.exe
1452	spoolsv.exe
1936	spoolsv.exe
384	spoolsv.exe
2316	spoolsv.exe
1268	spoolsv.exe
4284	spoolsv.exe
664	spoolsv.exe
4072	spoolsv.exe
4088	spoolsv.exe
1164	spoolsv.exe
3156	spoolsv.exe
4336	spoolsv.exe
1620	spoolsv.exe
4972	spoolsv.exe
3976	spoolsv.exe
2340	spoolsv.exe
2740	spoolsv.exe
4364	spoolsv.exe
4168	spoolsv.exe
4116	spoolsv.exe
3376	spoolsv.exe
3792	explorer.exe
972	spoolsv.exe
3356	spoolsv.exe
3532	spoolsv.exe
2988	spoolsv.exe
3100	spoolsv.exe
2016	spoolsv.exe
4476	spoolsv.exe
3252	explorer.exe
372	spoolsv.exe
1204	spoolsv.exe
4732	spoolsv.exe
3012	spoolsv.exe
4700	spoolsv.exe
5088	explorer.exe
4524	spoolsv.exe
4636	spoolsv.exe
924	spoolsv.exe
4980	spoolsv.exe
4372	spoolsv.exe
1852	explorer.exe
2724	spoolsv.exe
1348	spoolsv.exe
4544	spoolsv.exe
2972	spoolsv.exe
3984	spoolsv.exe
812	explorer.exe
4736	spoolsv.exe
2028	spoolsv.exe
4236	spoolsv.exe
556	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 58 IoCs

Processes:

04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2624 set thread context of 3404	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
PID 3268 set thread context of 3320	3268	explorer.exe	explorer.exe
PID 4092 set thread context of 3376	4092	spoolsv.exe	spoolsv.exe
PID 4724 set thread context of 972	4724	spoolsv.exe	spoolsv.exe
PID 3748 set thread context of 3356	3748	spoolsv.exe	spoolsv.exe
PID 2780 set thread context of 3532	2780	spoolsv.exe	spoolsv.exe
PID 4504 set thread context of 3100	4504	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 2016	1808	spoolsv.exe	spoolsv.exe
PID 4760 set thread context of 4476	4760	spoolsv.exe	spoolsv.exe
PID 1388 set thread context of 372	1388	spoolsv.exe	spoolsv.exe
PID 3956 set thread context of 4732	3956	spoolsv.exe	spoolsv.exe
PID 4764 set thread context of 3012	4764	spoolsv.exe	spoolsv.exe
PID 1452 set thread context of 4700	1452	spoolsv.exe	spoolsv.exe
PID 1936 set thread context of 4636	1936	spoolsv.exe	spoolsv.exe
PID 384 set thread context of 924	384	spoolsv.exe	spoolsv.exe
PID 2316 set thread context of 4980	2316	spoolsv.exe	spoolsv.exe
PID 1268 set thread context of 4372	1268	spoolsv.exe	spoolsv.exe
PID 4284 set thread context of 1348	4284	spoolsv.exe	spoolsv.exe
PID 664 set thread context of 4544	664	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 2972	4072	spoolsv.exe	spoolsv.exe
PID 4088 set thread context of 3984	4088	spoolsv.exe	spoolsv.exe
PID 1164 set thread context of 2028	1164	spoolsv.exe	spoolsv.exe
PID 3156 set thread context of 4236	3156	spoolsv.exe	spoolsv.exe
PID 4336 set thread context of 556	4336	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 5068	1620	spoolsv.exe	spoolsv.exe
PID 4972 set thread context of 4940	4972	spoolsv.exe	spoolsv.exe
PID 3976 set thread context of 2236	3976	spoolsv.exe	spoolsv.exe
PID 2340 set thread context of 1420	2340	spoolsv.exe	spoolsv.exe
PID 2740 set thread context of 3040	2740	spoolsv.exe	spoolsv.exe
PID 4364 set thread context of 4588	4364	spoolsv.exe	spoolsv.exe
PID 4168 set thread context of 760	4168	spoolsv.exe	spoolsv.exe
PID 4116 set thread context of 636	4116	spoolsv.exe	spoolsv.exe
PID 3792 set thread context of 1644	3792	explorer.exe	explorer.exe
PID 2988 set thread context of 4668	2988	spoolsv.exe	spoolsv.exe
PID 3252 set thread context of 1256	3252	explorer.exe	explorer.exe
PID 1204 set thread context of 1576	1204	spoolsv.exe	spoolsv.exe
PID 5088 set thread context of 4508	5088	explorer.exe	explorer.exe
PID 4524 set thread context of 4084	4524	spoolsv.exe	spoolsv.exe
PID 1852 set thread context of 3504	1852	explorer.exe	explorer.exe
PID 2724 set thread context of 3568	2724	spoolsv.exe	spoolsv.exe
PID 4736 set thread context of 3084	4736	spoolsv.exe	spoolsv.exe
PID 812 set thread context of 4560	812	explorer.exe	explorer.exe
PID 1556 set thread context of 816	1556	explorer.exe	explorer.exe
PID 3184 set thread context of 2552	3184	spoolsv.exe	spoolsv.exe
PID 4956 set thread context of 3204	4956	spoolsv.exe	spoolsv.exe
PID 688 set thread context of 512	688	explorer.exe	explorer.exe
PID 4860 set thread context of 5032	4860	spoolsv.exe	spoolsv.exe
PID 2244 set thread context of 1200	2244	spoolsv.exe	spoolsv.exe
PID 3652 set thread context of 3484	3652	spoolsv.exe	spoolsv.exe
PID 2664 set thread context of 1516	2664	explorer.exe	explorer.exe
PID 3192 set thread context of 3840	3192	spoolsv.exe	spoolsv.exe
PID 4248 set thread context of 4696	4248	spoolsv.exe	spoolsv.exe
PID 4464 set thread context of 4928	4464	explorer.exe	explorer.exe
PID 3872 set thread context of 4776	3872	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 1664	2276	spoolsv.exe	spoolsv.exe
PID 2864 set thread context of 4876	2864	spoolsv.exe	spoolsv.exe
PID 5048 set thread context of 4540	5048	explorer.exe	explorer.exe
PID 3028 set thread context of 4704	3028	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exe04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exe04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exeexplorer.exe

pid	process
3404	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
3404	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3320 explorer.exe

pid	process
3320	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3404	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
3404	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3320	explorer.exe
3376	spoolsv.exe
3376	spoolsv.exe
972	spoolsv.exe
972	spoolsv.exe
3356	spoolsv.exe
3356	spoolsv.exe
3532	spoolsv.exe
3532	spoolsv.exe
3100	spoolsv.exe
3100	spoolsv.exe
2016	spoolsv.exe
2016	spoolsv.exe
4476	spoolsv.exe
4476	spoolsv.exe
372	spoolsv.exe
372	spoolsv.exe
4732	spoolsv.exe
4732	spoolsv.exe
3012	spoolsv.exe
3012	spoolsv.exe
4700	spoolsv.exe
4700	spoolsv.exe
4636	spoolsv.exe
4636	spoolsv.exe
924	spoolsv.exe
924	spoolsv.exe
4980	spoolsv.exe
4980	spoolsv.exe
4372	spoolsv.exe
4372	spoolsv.exe
1348	spoolsv.exe
1348	spoolsv.exe
4544	spoolsv.exe
4544	spoolsv.exe
2972	spoolsv.exe
2972	spoolsv.exe
3984	spoolsv.exe
3984	spoolsv.exe
2028	spoolsv.exe
2028	spoolsv.exe
4236	spoolsv.exe
4236	spoolsv.exe
556	spoolsv.exe
556	spoolsv.exe
5068	spoolsv.exe
5068	spoolsv.exe
4940	spoolsv.exe
4940	spoolsv.exe
2236	spoolsv.exe
2236	spoolsv.exe
1420	spoolsv.exe
1420	spoolsv.exe
3040	spoolsv.exe
3040	spoolsv.exe
4588	spoolsv.exe
4588	spoolsv.exe
760	spoolsv.exe
760	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2624 wrote to memory of 4740	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	splwow64.exe
PID 2624 wrote to memory of 4740	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	splwow64.exe
PID 2624 wrote to memory of 3404	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
PID 2624 wrote to memory of 3404	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
PID 2624 wrote to memory of 3404	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
PID 2624 wrote to memory of 3404	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
PID 2624 wrote to memory of 3404	2624	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
PID 3404 wrote to memory of 3268	3404	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	explorer.exe
PID 3404 wrote to memory of 3268	3404	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	explorer.exe
PID 3404 wrote to memory of 3268	3404	04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe	explorer.exe
PID 3268 wrote to memory of 3320	3268	explorer.exe	explorer.exe
PID 3268 wrote to memory of 3320	3268	explorer.exe	explorer.exe
PID 3268 wrote to memory of 3320	3268	explorer.exe	explorer.exe
PID 3268 wrote to memory of 3320	3268	explorer.exe	explorer.exe
PID 3268 wrote to memory of 3320	3268	explorer.exe	explorer.exe
PID 3320 wrote to memory of 4092	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4092	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4092	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4724	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4724	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4724	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 3748	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 3748	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 3748	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 2780	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 2780	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 2780	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4504	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4504	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4504	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1808	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1808	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1808	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4760	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4760	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4760	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1388	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1388	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1388	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 3956	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 3956	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 3956	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4764	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4764	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4764	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1452	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1452	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1452	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1936	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1936	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1936	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 384	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 384	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 384	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 2316	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 2316	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 2316	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1268	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1268	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 1268	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4284	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4284	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 4284	3320	explorer.exe	spoolsv.exe
PID 3320 wrote to memory of 664	3320	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04b0fd4f6bf3d89cb9c8bd9e7da279e6_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3268

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4092

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3376

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3792

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4724

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3748

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2780

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4504

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1808

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4760

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4476

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3252

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1388

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3956

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4764

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1452

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4700

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5088

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1936

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:384

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2316

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1268

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4372

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1852

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4284

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:664

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4072

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4088

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3984

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:812

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1164

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3156

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4336

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1620

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4972

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4940

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1556

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3976

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2340

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2740

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4364

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4588

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:688

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4168

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4116

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:636

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2664

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4464

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1204

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1576

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5048

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4524

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4084

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2724

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3568

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4736

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3084

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3184

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2552

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4956

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:4860

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5032

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3652

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3484

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:3192

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:4248

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3872

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:2276

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1664

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2864

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3028

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
04ceb237af76039bf5ad8568fde2d7c0

SHA1
ee9842d5e18eded0d26f89df1a75696141491510

SHA256
7e4a8ac99cb8385012f3331bd6ed9266a7827961b432a443c5d709b616ce086c

SHA512
8ed8d788f7fe5ac16a8eac0329076c6268fc7d84c02e23eb4fd7b83f86b90e1bf0c8d186d18246e18277be1c314a75ab5caf14f409ab3df5a392e13eec1d1567

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
041f7664cc566d803bb9fb69334f803b

SHA1
7fc4195f3b8e2b92703c74b958d1a5c60e8fff05

SHA256
32a18d42e411c2887d79d2b6f4ed22bb87920f8bf4025a74275921905cf94766

SHA512
b1d1416a90197ba5c155616c0be1d23d7b5ffdfdc2b2226af57f9c97e136951fa47fadd8fffd9b5f526905775b428256f6d16aea7d22c624ea88bee9b42e7278

Download Submit
memory/372-2041-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/384-1566-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/512-4841-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/556-2657-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-3347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-3209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/664-1748-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/760-2988-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-4676-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/924-2283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/924-2285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/972-1834-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/972-1833-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1164-1832-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1200-4925-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1200-4928-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-3615-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1268-1568-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1348-2472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-1241-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1420-2855-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-1395-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1516-4999-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-3689-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-3806-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-1854-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1644-3368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-3366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-5168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-1103-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1936-1396-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2016-1939-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2016-1935-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-2637-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-2846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-1567-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2552-4815-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2624-47-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2624-43-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2624-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2780-931-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2972-2491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-2116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-2867-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-4464-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-4586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-1928-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-1924-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-1842-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3204-4768-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3204-4771-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3268-88-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3268-93-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3320-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3320-623-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-1844-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-1997-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-1823-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-4992-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-4203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-1855-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-4334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-930-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3748-1843-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3956-1246-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3984-2615-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-1749-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4084-3972-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-4095-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-1822-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4092-758-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4092-1818-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4236-2648-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-1747-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4336-1853-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4372-2387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-2536-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-2017-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-2171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-1102-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4508-3904-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-5190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-2482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-4489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-3087-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4636-2275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-3595-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4700-2188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4700-2334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-5199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-929-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4724-1829-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4732-2106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-1104-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4764-1394-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4776-5096-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-5177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-5079-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-2839-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-2295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-4917-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-4975-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5068-2668-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download