pony | 34320d9d04c1818d2b89e0afbca76e76346ebf54f4d9dab1ca4e3201972c7b46

General

Target

053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
Size

2.6MB
MD5

053298dd49a8952b53e13823dc46c181
SHA1

678b46bfff69d097eb5b21b51d838881fdcf63e7
SHA256

34320d9d04c1818d2b89e0afbca76e76346ebf54f4d9dab1ca4e3201972c7b46
SHA512

ddef5c28e25bfe8e9f79085f109193d7cd94315a553561c6dcf558bf339b6867b611b9bca98d65f35a6fd691366d11f33fce394198f2e046e44e295233c88f13
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlO:86SIROiFJiwp0xlrlO

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1380	explorer.exe
1068	explorer.exe
1904	explorer.exe
2432	spoolsv.exe
2908	spoolsv.exe
800	spoolsv.exe
2304	spoolsv.exe
584	spoolsv.exe
1724	spoolsv.exe
964	spoolsv.exe
692	spoolsv.exe
2076	spoolsv.exe
2444	spoolsv.exe
2192	spoolsv.exe
2028	spoolsv.exe
2480	spoolsv.exe
2380	spoolsv.exe
2884	spoolsv.exe
1916	spoolsv.exe
2704	spoolsv.exe
2684	spoolsv.exe
1664	spoolsv.exe
2164	spoolsv.exe
2544	spoolsv.exe
308	spoolsv.exe
912	spoolsv.exe
1888	spoolsv.exe
1732	spoolsv.exe
984	spoolsv.exe
1844	spoolsv.exe
676	spoolsv.exe
904	spoolsv.exe
1688	spoolsv.exe
2608	spoolsv.exe
2636	spoolsv.exe
2880	spoolsv.exe
1348	spoolsv.exe
2044	spoolsv.exe
2596	spoolsv.exe
2228	spoolsv.exe
1768	spoolsv.exe
1480	spoolsv.exe
2220	spoolsv.exe
2336	spoolsv.exe
1984	spoolsv.exe
2900	spoolsv.exe
2640	spoolsv.exe
2776	spoolsv.exe
2396	spoolsv.exe
1472	spoolsv.exe
2564	spoolsv.exe
2760	spoolsv.exe
1912	spoolsv.exe
896	spoolsv.exe
956	spoolsv.exe
1616	spoolsv.exe
2932	spoolsv.exe
1584	spoolsv.exe
2024	spoolsv.exe
2804	spoolsv.exe
2192	spoolsv.exe
2344	spoolsv.exe
2600	spoolsv.exe
1160	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

053298dd49a8952b53e13823dc46c181_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
1904	explorer.exe
1904	explorer.exe
2432	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
800	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
584	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
964	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2076	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2192	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2480	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2884	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2704	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
1664	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2544	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
912	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
1732	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
1844	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
904	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2608	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2880	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2044	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
2228	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
1480	spoolsv.exe
1904	explorer.exe
1904	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe053298dd49a8952b53e13823dc46c181_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2892 set thread context of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2096 set thread context of 1696	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 1380 set thread context of 1068	1380	explorer.exe	explorer.exe
PID 1068 set thread context of 1904	1068	explorer.exe	explorer.exe
PID 2432 set thread context of 2908	2432	spoolsv.exe	spoolsv.exe
PID 800 set thread context of 2304	800	spoolsv.exe	spoolsv.exe
PID 584 set thread context of 1724	584	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 692	964	spoolsv.exe	spoolsv.exe
PID 2076 set thread context of 2444	2076	spoolsv.exe	spoolsv.exe
PID 2192 set thread context of 2028	2192	spoolsv.exe	spoolsv.exe
PID 2480 set thread context of 2380	2480	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 1916	2884	spoolsv.exe	spoolsv.exe
PID 2704 set thread context of 2684	2704	spoolsv.exe	spoolsv.exe
PID 1664 set thread context of 2164	1664	spoolsv.exe	spoolsv.exe
PID 2544 set thread context of 308	2544	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 1888	912	spoolsv.exe	spoolsv.exe
PID 1732 set thread context of 984	1732	spoolsv.exe	spoolsv.exe
PID 1844 set thread context of 676	1844	spoolsv.exe	spoolsv.exe
PID 904 set thread context of 1688	904	spoolsv.exe	spoolsv.exe
PID 2608 set thread context of 2636	2608	spoolsv.exe	spoolsv.exe
PID 2880 set thread context of 1348	2880	spoolsv.exe	spoolsv.exe
PID 2044 set thread context of 2596	2044	spoolsv.exe	spoolsv.exe
PID 2228 set thread context of 1768	2228	spoolsv.exe	spoolsv.exe
PID 1480 set thread context of 2220	1480	spoolsv.exe	spoolsv.exe
PID 2336 set thread context of 1984	2336	spoolsv.exe	spoolsv.exe
PID 2900 set thread context of 2640	2900	spoolsv.exe	spoolsv.exe
PID 2776 set thread context of 2396	2776	spoolsv.exe	spoolsv.exe
PID 1472 set thread context of 2564	1472	spoolsv.exe	spoolsv.exe
PID 2760 set thread context of 1912	2760	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 956	896	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 2932	1616	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 2024	1584	spoolsv.exe	spoolsv.exe
PID 2804 set thread context of 2192	2804	spoolsv.exe	spoolsv.exe
PID 2344 set thread context of 2600	2344	spoolsv.exe	spoolsv.exe
PID 1160 set thread context of 864	1160	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 2280	2032	spoolsv.exe	spoolsv.exe
PID 2452 set thread context of 2916	2452	spoolsv.exe	spoolsv.exe
PID 528 set thread context of 1836	528	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 2772	1956	spoolsv.exe	spoolsv.exe
PID 1928 set thread context of 2340	1928	spoolsv.exe	spoolsv.exe
PID 1492 set thread context of 2064	1492	spoolsv.exe	spoolsv.exe
PID 2132 set thread context of 1704	2132	spoolsv.exe	spoolsv.exe
PID 1744 set thread context of 1824	1744	spoolsv.exe	spoolsv.exe
PID 1944 set thread context of 1928	1944	spoolsv.exe	spoolsv.exe
PID 2796 set thread context of 2032	2796	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 2004	2556	spoolsv.exe	spoolsv.exe
PID 1736 set thread context of 2328	1736	spoolsv.exe	spoolsv.exe
PID 2132 set thread context of 2912	2132	spoolsv.exe	spoolsv.exe
PID 1104 set thread context of 1848	1104	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 1992	896	spoolsv.exe	spoolsv.exe
PID 2992 set thread context of 2896	2992	spoolsv.exe	spoolsv.exe
PID 2480 set thread context of 2884	2480	spoolsv.exe	spoolsv.exe
PID 2704 set thread context of 2176	2704	spoolsv.exe	spoolsv.exe
PID 2972 set thread context of 364	2972	spoolsv.exe	spoolsv.exe
PID 368 set thread context of 3060	368	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 2316	2744	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 1736	2020	spoolsv.exe	spoolsv.exe
PID 1388 set thread context of 2568	1388	spoolsv.exe	spoolsv.exe
PID 3016 set thread context of 1728	3016	spoolsv.exe	spoolsv.exe
PID 2348 set thread context of 1972	2348	spoolsv.exe	spoolsv.exe
PID 2788 set thread context of 2668	2788	spoolsv.exe	spoolsv.exe
PID 1988 set thread context of 368	1988	spoolsv.exe	spoolsv.exe
PID 2872 set thread context of 1160	2872	spoolsv.exe	spoolsv.exe
PID 908 set thread context of 1576	908	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

053298dd49a8952b53e13823dc46c181_JaffaCakes118.exeexplorer.exe

pid	process
1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1904 explorer.exe

pid	process
1904	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe053298dd49a8952b53e13823dc46c181_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
1380	explorer.exe
1904	explorer.exe
1904	explorer.exe
2432	spoolsv.exe
1904	explorer.exe
1904	explorer.exe
800	spoolsv.exe
584	spoolsv.exe
964	spoolsv.exe
2076	spoolsv.exe
2192	spoolsv.exe
2480	spoolsv.exe
2884	spoolsv.exe
2704	spoolsv.exe
1664	spoolsv.exe
2544	spoolsv.exe
912	spoolsv.exe
1732	spoolsv.exe
1844	spoolsv.exe
904	spoolsv.exe
2608	spoolsv.exe
2880	spoolsv.exe
2044	spoolsv.exe
2228	spoolsv.exe
1480	spoolsv.exe
2336	spoolsv.exe
2900	spoolsv.exe
2776	spoolsv.exe
1472	spoolsv.exe
2760	spoolsv.exe
896	spoolsv.exe
1616	spoolsv.exe
1584	spoolsv.exe
2804	spoolsv.exe
2344	spoolsv.exe
1160	spoolsv.exe
2032	spoolsv.exe
2452	spoolsv.exe
528	spoolsv.exe
1956	spoolsv.exe
1928	spoolsv.exe
1492	spoolsv.exe
2132	spoolsv.exe
1744	spoolsv.exe
1944	spoolsv.exe
2796	spoolsv.exe
2556	spoolsv.exe
1736	spoolsv.exe
2132	spoolsv.exe
1104	spoolsv.exe
896	spoolsv.exe
2992	spoolsv.exe
2480	spoolsv.exe
2704	spoolsv.exe
2972	spoolsv.exe
368	spoolsv.exe
2744	spoolsv.exe
2020	spoolsv.exe
1388	spoolsv.exe
3016	spoolsv.exe
2348	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe053298dd49a8952b53e13823dc46c181_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2892 wrote to memory of 2096	2892	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2096 wrote to memory of 2944	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	splwow64.exe
PID 2096 wrote to memory of 2944	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	splwow64.exe
PID 2096 wrote to memory of 2944	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	splwow64.exe
PID 2096 wrote to memory of 2944	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	splwow64.exe
PID 2096 wrote to memory of 1696	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2096 wrote to memory of 1696	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2096 wrote to memory of 1696	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2096 wrote to memory of 1696	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2096 wrote to memory of 1696	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 2096 wrote to memory of 1696	2096	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
PID 1696 wrote to memory of 1380	1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	explorer.exe
PID 1696 wrote to memory of 1380	1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	explorer.exe
PID 1696 wrote to memory of 1380	1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	explorer.exe
PID 1696 wrote to memory of 1380	1696	053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1068	1380	explorer.exe	explorer.exe
PID 1068 wrote to memory of 1904	1068	explorer.exe	explorer.exe
PID 1068 wrote to memory of 1904	1068	explorer.exe	explorer.exe
PID 1068 wrote to memory of 1904	1068	explorer.exe	explorer.exe
PID 1068 wrote to memory of 1904	1068	explorer.exe	explorer.exe
PID 1068 wrote to memory of 1904	1068	explorer.exe	explorer.exe
PID 1068 wrote to memory of 1904	1068	explorer.exe	explorer.exe
PID 1904 wrote to memory of 2432	1904	explorer.exe	spoolsv.exe
PID 1904 wrote to memory of 2432	1904	explorer.exe	spoolsv.exe
PID 1904 wrote to memory of 2432	1904	explorer.exe	spoolsv.exe
PID 1904 wrote to memory of 2432	1904	explorer.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe
PID 2432 wrote to memory of 2908	2432	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\053298dd49a8952b53e13823dc46c181_JaffaCakes118.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1068

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2908

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2304

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3936

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:3164

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1724

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:692

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3532

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:3696

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2444

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2028

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2684

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:984

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2596

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1984

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1912

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2932

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2600

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:1716

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:4104

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:864

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2280

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2916

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1928

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2032

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2004

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2896

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1620

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:896

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1748

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3300

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1908

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4604

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD
Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
C:\Windows\system\explorer.exe
Filesize
2.6MB

MD5
35eeb04fd74dcf4e9ff1bc614aea303f

SHA1
412e15533d2e3ed05b79da0f2e8f03a59973be16

SHA256
30f8077cd941e432e0adac839eb905f8649f0ca32626a4be0c1cf09483b5aa2a

SHA512
011ba7eb83ae44d434ad9c3ad4e36c08d3bf1565e7dbafb6fcb5336d4c967afb074c3edc28f7a5efcc083325c5f7165c0e91a3f6036c708ebb3b128ad1498239

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.6MB

MD5
e5f9786ee93b0c609e88a95e16ef4eb7

SHA1
38ab1b2df264260f869aef0f8f523cdee0449a4a

SHA256
013d177eefc97b8640cb34df3ee9de010f9f240641034e2fb4b95648e33e1737

SHA512
75497d3b03b549d36f25c2a83e5b0d5a00e7755f487e4ac2b36b630e12c598b64bf50e609fa2ca15b7ee7de73d6f7752ce1bf75b32ea730caccf55b0645a4159

Download Submit
memory/972-3717-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-91-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1068-81-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1068-64-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1068-60-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1380-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1380-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1696-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1696-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1716-3760-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1716-3858-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-7-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2096-4-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2096-39-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2096-8-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2096-25-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2096-27-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2096-3-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2096-5-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2440-3700-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-3631-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2892-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-110-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3204-3665-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-3739-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-3734-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-3565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-3556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-3644-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-3586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-3560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-3534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-3614-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-3813-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-3778-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-3869-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads