pony | a4edf7d4aee7d1b229563d024d866b9aa61ef31dff4305adc832b64af3470a27

General

Target

056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
Size

2.6MB
MD5

056df40fd0748f53510156f1b43fa8e0
SHA1

6aae80790480c5bddf59682925ca696069e388d2
SHA256

a4edf7d4aee7d1b229563d024d866b9aa61ef31dff4305adc832b64af3470a27
SHA512

42588a7634a2e79eba07c2fb4c93a628789fba222303dfb01fb00add0794445a1079b27ca98d5ec910bd581630d4bd7d7a24a5a3ec4d91c9a32df58182265397
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlO:86SIROiFJiwp0xlrlO

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2552	explorer.exe
2432	explorer.exe
2000	explorer.exe
1812	spoolsv.exe
2132	spoolsv.exe
924	spoolsv.exe
2724	spoolsv.exe
3052	spoolsv.exe
1304	spoolsv.exe
972	spoolsv.exe
1748	spoolsv.exe
860	spoolsv.exe
2252	spoolsv.exe
2308	spoolsv.exe
2464	spoolsv.exe
2028	spoolsv.exe
1296	spoolsv.exe
2552	spoolsv.exe
828	spoolsv.exe
1512	spoolsv.exe
1284	spoolsv.exe
2220	spoolsv.exe
2036	spoolsv.exe
668	spoolsv.exe
2708	spoolsv.exe
2628	spoolsv.exe
2480	spoolsv.exe
1028	spoolsv.exe
1952	spoolsv.exe
2672	spoolsv.exe
1592	spoolsv.exe
2932	spoolsv.exe
1564	spoolsv.exe
2916	spoolsv.exe
1428	spoolsv.exe
2392	spoolsv.exe
2548	spoolsv.exe
1260	spoolsv.exe
1732	spoolsv.exe
2220	spoolsv.exe
2084	spoolsv.exe
1132	spoolsv.exe
1844	spoolsv.exe
2108	spoolsv.exe
1588	spoolsv.exe
2760	spoolsv.exe
2952	spoolsv.exe
3028	spoolsv.exe
2932	spoolsv.exe
2668	spoolsv.exe
2288	spoolsv.exe
2504	spoolsv.exe
1512	spoolsv.exe
2368	spoolsv.exe
764	spoolsv.exe
2356	spoolsv.exe
1516	spoolsv.exe
2156	spoolsv.exe
928	spoolsv.exe
2108	spoolsv.exe
1664	spoolsv.exe
1560	spoolsv.exe
2960	spoolsv.exe
2400	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
2000	explorer.exe
2000	explorer.exe
1812	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
924	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
3052	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
972	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
860	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2308	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2028	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2552	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
1512	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2220	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
668	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2628	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
1028	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2672	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2932	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2916	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2392	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
1260	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
2220	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
1132	spoolsv.exe
2000	explorer.exe
2000	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 58 IoCs

Processes:

056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2236 set thread context of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 1508 set thread context of 2544	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2552 set thread context of 2432	2552	explorer.exe	explorer.exe
PID 2432 set thread context of 2000	2432	explorer.exe	explorer.exe
PID 1812 set thread context of 2132	1812	spoolsv.exe	spoolsv.exe
PID 924 set thread context of 2724	924	spoolsv.exe	spoolsv.exe
PID 3052 set thread context of 1304	3052	spoolsv.exe	spoolsv.exe
PID 972 set thread context of 1748	972	spoolsv.exe	spoolsv.exe
PID 860 set thread context of 2252	860	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 2464	2308	spoolsv.exe	spoolsv.exe
PID 2028 set thread context of 1296	2028	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 828	2552	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 1284	1512	spoolsv.exe	spoolsv.exe
PID 2220 set thread context of 2036	2220	spoolsv.exe	spoolsv.exe
PID 668 set thread context of 2708	668	spoolsv.exe	spoolsv.exe
PID 2628 set thread context of 2480	2628	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 1952	1028	spoolsv.exe	spoolsv.exe
PID 2672 set thread context of 1592	2672	spoolsv.exe	spoolsv.exe
PID 2932 set thread context of 1564	2932	spoolsv.exe	spoolsv.exe
PID 2916 set thread context of 1428	2916	spoolsv.exe	spoolsv.exe
PID 2392 set thread context of 2548	2392	spoolsv.exe	spoolsv.exe
PID 1260 set thread context of 1732	1260	spoolsv.exe	spoolsv.exe
PID 2220 set thread context of 2084	2220	spoolsv.exe	spoolsv.exe
PID 1132 set thread context of 1844	1132	spoolsv.exe	spoolsv.exe
PID 2108 set thread context of 1588	2108	spoolsv.exe	spoolsv.exe
PID 2760 set thread context of 2952	2760	spoolsv.exe	spoolsv.exe
PID 3028 set thread context of 2932	3028	spoolsv.exe	spoolsv.exe
PID 2668 set thread context of 2288	2668	spoolsv.exe	spoolsv.exe
PID 2504 set thread context of 1512	2504	spoolsv.exe	spoolsv.exe
PID 2368 set thread context of 764	2368	spoolsv.exe	spoolsv.exe
PID 2356 set thread context of 1516	2356	spoolsv.exe	spoolsv.exe
PID 2156 set thread context of 928	2156	spoolsv.exe	spoolsv.exe
PID 2108 set thread context of 1664	2108	spoolsv.exe	spoolsv.exe
PID 1560 set thread context of 2960	1560	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 2712	2400	spoolsv.exe	spoolsv.exe
PID 1192 set thread context of 2716	1192	spoolsv.exe	spoolsv.exe
PID 1376 set thread context of 2864	1376	spoolsv.exe	spoolsv.exe
PID 1604 set thread context of 2200	1604	spoolsv.exe	spoolsv.exe
PID 2752 set thread context of 2624	2752	spoolsv.exe	spoolsv.exe
PID 2696 set thread context of 1652	2696	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 2748	1348	spoolsv.exe	spoolsv.exe
PID 2064 set thread context of 1804	2064	spoolsv.exe	spoolsv.exe
PID 2104 set thread context of 2196	2104	spoolsv.exe	spoolsv.exe
PID 2772 set thread context of 2488	2772	spoolsv.exe	spoolsv.exe
PID 2620 set thread context of 2512	2620	spoolsv.exe	spoolsv.exe
PID 1868 set thread context of 1788	1868	spoolsv.exe	spoolsv.exe
PID 2728 set thread context of 2216	2728	spoolsv.exe	spoolsv.exe
PID 976 set thread context of 2180	976	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 1604	2276	spoolsv.exe	spoolsv.exe
PID 2204 set thread context of 1232	2204	spoolsv.exe	spoolsv.exe
PID 2336 set thread context of 1156	2336	spoolsv.exe	spoolsv.exe
PID 2688 set thread context of 2972	2688	spoolsv.exe	spoolsv.exe
PID 1800 set thread context of 1808	1800	spoolsv.exe	spoolsv.exe
PID 1940 set thread context of 1192	1940	spoolsv.exe	spoolsv.exe
PID 948 set thread context of 1768	948	spoolsv.exe	spoolsv.exe
PID 2188 set thread context of 2228	2188	spoolsv.exe	spoolsv.exe
PID 2520 set thread context of 2448	2520	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 1076	568	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exeexplorer.exe

pid	process
2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe

Suspicious use of SetWindowsHookEx 62 IoCs

Processes:

056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
2552	explorer.exe
2000	explorer.exe
2000	explorer.exe
1812	spoolsv.exe
2000	explorer.exe
2000	explorer.exe
924	spoolsv.exe
3052	spoolsv.exe
972	spoolsv.exe
860	spoolsv.exe
2308	spoolsv.exe
2028	spoolsv.exe
2552	spoolsv.exe
1512	spoolsv.exe
2220	spoolsv.exe
668	spoolsv.exe
2628	spoolsv.exe
1028	spoolsv.exe
2672	spoolsv.exe
2932	spoolsv.exe
2916	spoolsv.exe
2392	spoolsv.exe
1260	spoolsv.exe
2220	spoolsv.exe
1132	spoolsv.exe
2108	spoolsv.exe
2760	spoolsv.exe
3028	spoolsv.exe
2668	spoolsv.exe
2504	spoolsv.exe
2368	spoolsv.exe
2356	spoolsv.exe
2156	spoolsv.exe
2108	spoolsv.exe
1560	spoolsv.exe
2400	spoolsv.exe
1192	spoolsv.exe
1376	spoolsv.exe
1604	spoolsv.exe
2752	spoolsv.exe
2696	spoolsv.exe
1348	spoolsv.exe
2064	spoolsv.exe
2104	spoolsv.exe
2772	spoolsv.exe
2620	spoolsv.exe
1868	spoolsv.exe
2728	spoolsv.exe
976	spoolsv.exe
2276	spoolsv.exe
2204	spoolsv.exe
2336	spoolsv.exe
2688	spoolsv.exe
1800	spoolsv.exe
1940	spoolsv.exe
948	spoolsv.exe
2188	spoolsv.exe
2520	spoolsv.exe
568	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2236 wrote to memory of 1508	2236	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 1508 wrote to memory of 2812	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	splwow64.exe
PID 1508 wrote to memory of 2812	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	splwow64.exe
PID 1508 wrote to memory of 2812	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	splwow64.exe
PID 1508 wrote to memory of 2812	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	splwow64.exe
PID 1508 wrote to memory of 2544	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 1508 wrote to memory of 2544	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 1508 wrote to memory of 2544	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 1508 wrote to memory of 2544	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 1508 wrote to memory of 2544	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 1508 wrote to memory of 2544	1508	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
PID 2544 wrote to memory of 2552	2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	explorer.exe
PID 2544 wrote to memory of 2552	2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	explorer.exe
PID 2544 wrote to memory of 2552	2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	explorer.exe
PID 2544 wrote to memory of 2552	2544	056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2552 wrote to memory of 2432	2552	explorer.exe	explorer.exe
PID 2432 wrote to memory of 2000	2432	explorer.exe	explorer.exe
PID 2432 wrote to memory of 2000	2432	explorer.exe	explorer.exe
PID 2432 wrote to memory of 2000	2432	explorer.exe	explorer.exe
PID 2432 wrote to memory of 2000	2432	explorer.exe	explorer.exe
PID 2432 wrote to memory of 2000	2432	explorer.exe	explorer.exe
PID 2432 wrote to memory of 2000	2432	explorer.exe	explorer.exe
PID 2000 wrote to memory of 1812	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1812	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1812	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1812	2000	explorer.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe
PID 1812 wrote to memory of 2132	1812	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\056df40fd0748f53510156f1b43fa8e0_JaffaCakes118.exe"
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2132

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2724

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3960

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:2076

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1304

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1748

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2268

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:3768

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2252

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3152

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1500

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1296

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:828

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2708

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1732

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1588

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:764

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4240

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:4292

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2712

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2200

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2624

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2216

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1156

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:568

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3924

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4716

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD
Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
\Windows\system\explorer.exe
Filesize
2.6MB

MD5
83dc897ac663343340e1ef6d1bc75c6f

SHA1
b46dd7a2b5b0a77ba0006124a2f896251db48767

SHA256
b41e73c39b114aeb27db4fa04807c08946f25c06d7283cc1769639da2a88ec8b

SHA512
ce73996e1ac63808503ab214759a723c0be71cd4191fcbf42dd542d81d8ea9c07cffff73dd58e0bca42bbdff95193eb2bc08e8b58a2ef4511cca3add28d4f43d

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.6MB

MD5
341aef663fb664b283200b547bfe34b9

SHA1
284e8b5cd51e5f1b436d1966d6dcc8103af22776

SHA256
7ed561a9a0cb05de5fe8432bcb4b6ec58dc8c11873bd1188edfad19879528f54

SHA512
b0dc922e577dd079dab70b62ed4f520a11fed299ad14b99e92c39afeb33fdfa793fe3f60f2fd3129ab6f41401d527b96c21022c268b3566c74df53d0fab1adcd

Download Submit
memory/1308-3686-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-25-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1508-6-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-7-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-27-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1508-4-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-3-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2132-110-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2236-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2236-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2268-3517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-3571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-4204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-90-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2432-60-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2432-61-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2432-81-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2544-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2552-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2552-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-4263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-3725-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-3600-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3444-3855-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-3486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-3417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-3625-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3756-3699-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3928-4122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3960-3465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3960-3455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-3643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-3753-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-3739-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-3951-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-3947-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-3766-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-3868-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4884-4134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-3905-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-4060-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads