pony | ac6900fdea4024dac56bca34ceeeb78cf97a6e9edae9773c0ae0057a1be42049

Analysis

max time kernel
148s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

056756674108530c852acb294836b90b_JaffaCakes118.exe
Size

2.2MB
MD5

056756674108530c852acb294836b90b
SHA1

6a20b78ee2246909091836d89c1e7515e6bbe55a
SHA256

ac6900fdea4024dac56bca34ceeeb78cf97a6e9edae9773c0ae0057a1be42049
SHA512

4a25857db0dc09bad30381e86ed16e6b662314000642c8805201c6af7872118e4ab4f6f8b186723319cb162c50c096f1374f93eae5c75c116398dad6f5336cfd
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwwk

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

056756674108530c852acb294836b90b_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

pid	process
1692	explorer.exe
1240	explorer.exe
2252	spoolsv.exe
3312	spoolsv.exe
3836	spoolsv.exe
2756	spoolsv.exe
3952	spoolsv.exe
3936	spoolsv.exe
3244	spoolsv.exe
4000	spoolsv.exe
1464	spoolsv.exe
4904	spoolsv.exe
1044	spoolsv.exe
1980	spoolsv.exe
640	spoolsv.exe
4264	spoolsv.exe
4612	spoolsv.exe
436	spoolsv.exe
1012	spoolsv.exe
4592	spoolsv.exe
3180	spoolsv.exe
1432	spoolsv.exe
3700	spoolsv.exe
2428	spoolsv.exe
4800	spoolsv.exe
4348	spoolsv.exe
4636	spoolsv.exe
2416	spoolsv.exe
1416	spoolsv.exe
1600	spoolsv.exe
408	spoolsv.exe
1568	spoolsv.exe
3768	explorer.exe
5032	spoolsv.exe
4892	spoolsv.exe
740	spoolsv.exe
400	spoolsv.exe
3404	explorer.exe
2868	spoolsv.exe
1124	spoolsv.exe
2224	spoolsv.exe
3940	spoolsv.exe
2636	spoolsv.exe
2488	spoolsv.exe
1520	explorer.exe
2320	spoolsv.exe
2576	spoolsv.exe
4884	spoolsv.exe
1692	spoolsv.exe
1072	explorer.exe
3324	spoolsv.exe
3396	spoolsv.exe
3800	spoolsv.exe
3248	spoolsv.exe
116	spoolsv.exe
5080	explorer.exe
4304	spoolsv.exe
2400	spoolsv.exe
4052	spoolsv.exe
1920	spoolsv.exe
3772	spoolsv.exe
3060	spoolsv.exe
4996	explorer.exe
1788	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 54 IoCs

Processes:

056756674108530c852acb294836b90b_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 212 set thread context of 2036	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
PID 1692 set thread context of 1240	1692	explorer.exe	explorer.exe
PID 2252 set thread context of 1568	2252	spoolsv.exe	spoolsv.exe
PID 3312 set thread context of 5032	3312	spoolsv.exe	spoolsv.exe
PID 3836 set thread context of 740	3836	spoolsv.exe	spoolsv.exe
PID 2756 set thread context of 400	2756	spoolsv.exe	spoolsv.exe
PID 3952 set thread context of 2868	3952	spoolsv.exe	spoolsv.exe
PID 3936 set thread context of 1124	3936	spoolsv.exe	spoolsv.exe
PID 3244 set thread context of 2224	3244	spoolsv.exe	spoolsv.exe
PID 4000 set thread context of 2636	4000	spoolsv.exe	spoolsv.exe
PID 1464 set thread context of 2488	1464	spoolsv.exe	spoolsv.exe
PID 4904 set thread context of 2320	4904	spoolsv.exe	spoolsv.exe
PID 1044 set thread context of 4884	1044	spoolsv.exe	spoolsv.exe
PID 1980 set thread context of 1692	1980	spoolsv.exe	spoolsv.exe
PID 640 set thread context of 3324	640	spoolsv.exe	spoolsv.exe
PID 4264 set thread context of 3800	4264	spoolsv.exe	spoolsv.exe
PID 4612 set thread context of 3248	4612	spoolsv.exe	spoolsv.exe
PID 436 set thread context of 116	436	spoolsv.exe	spoolsv.exe
PID 1012 set thread context of 4304	1012	spoolsv.exe	spoolsv.exe
PID 4592 set thread context of 4052	4592	spoolsv.exe	spoolsv.exe
PID 3180 set thread context of 1920	3180	spoolsv.exe	spoolsv.exe
PID 1432 set thread context of 3772	1432	spoolsv.exe	spoolsv.exe
PID 3700 set thread context of 3060	3700	spoolsv.exe	spoolsv.exe
PID 2428 set thread context of 1788	2428	spoolsv.exe	spoolsv.exe
PID 4800 set thread context of 1096	4800	spoolsv.exe	spoolsv.exe
PID 4348 set thread context of 844	4348	spoolsv.exe	spoolsv.exe
PID 4636 set thread context of 3752	4636	spoolsv.exe	spoolsv.exe
PID 2416 set thread context of 2332	2416	spoolsv.exe	spoolsv.exe
PID 1416 set thread context of 4260	1416	spoolsv.exe	spoolsv.exe
PID 1600 set thread context of 4940	1600	spoolsv.exe	spoolsv.exe
PID 408 set thread context of 1952	408	spoolsv.exe	spoolsv.exe
PID 3768 set thread context of 376	3768	explorer.exe	explorer.exe
PID 4892 set thread context of 4604	4892	spoolsv.exe	spoolsv.exe
PID 3404 set thread context of 5076	3404	explorer.exe	explorer.exe
PID 3940 set thread context of 4748	3940	spoolsv.exe	spoolsv.exe
PID 1520 set thread context of 4012	1520	explorer.exe	explorer.exe
PID 2576 set thread context of 1708	2576	spoolsv.exe	spoolsv.exe
PID 1072 set thread context of 4256	1072	explorer.exe	explorer.exe
PID 3396 set thread context of 3560	3396	spoolsv.exe	spoolsv.exe
PID 5080 set thread context of 4132	5080	explorer.exe	explorer.exe
PID 2400 set thread context of 4080	2400	spoolsv.exe	spoolsv.exe
PID 4996 set thread context of 4324	4996	explorer.exe	explorer.exe
PID 2324 set thread context of 4736	2324	spoolsv.exe	spoolsv.exe
PID 3148 set thread context of 704	3148	explorer.exe	explorer.exe
PID 772 set thread context of 4580	772	spoolsv.exe	spoolsv.exe
PID 2344 set thread context of 1328	2344	spoolsv.exe	spoolsv.exe
PID 3168 set thread context of 3252	3168	explorer.exe	explorer.exe
PID 3504 set thread context of 1488	3504	spoolsv.exe	spoolsv.exe
PID 3564 set thread context of 2020	3564	spoolsv.exe	spoolsv.exe
PID 4456 set thread context of 1968	4456	explorer.exe	explorer.exe
PID 4360 set thread context of 3860	4360	spoolsv.exe	spoolsv.exe
PID 2496 set thread context of 3036	2496	spoolsv.exe	spoolsv.exe
PID 4152 set thread context of 5092	4152	explorer.exe	explorer.exe
PID 4720 set thread context of 1452	4720	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exe056756674108530c852acb294836b90b_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe056756674108530c852acb294836b90b_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	056756674108530c852acb294836b90b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

056756674108530c852acb294836b90b_JaffaCakes118.exeexplorer.exe

pid	process
2036	056756674108530c852acb294836b90b_JaffaCakes118.exe
2036	056756674108530c852acb294836b90b_JaffaCakes118.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1240 explorer.exe

pid	process
1240	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2036	056756674108530c852acb294836b90b_JaffaCakes118.exe
2036	056756674108530c852acb294836b90b_JaffaCakes118.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1240	explorer.exe
1568	spoolsv.exe
1568	spoolsv.exe
5032	spoolsv.exe
5032	spoolsv.exe
740	spoolsv.exe
740	spoolsv.exe
400	spoolsv.exe
400	spoolsv.exe
2868	spoolsv.exe
2868	spoolsv.exe
1124	spoolsv.exe
1124	spoolsv.exe
2224	spoolsv.exe
2224	spoolsv.exe
2636	spoolsv.exe
2636	spoolsv.exe
2488	spoolsv.exe
2488	spoolsv.exe
2320	spoolsv.exe
2320	spoolsv.exe
4884	spoolsv.exe
4884	spoolsv.exe
1692	spoolsv.exe
1692	spoolsv.exe
3324	spoolsv.exe
3324	spoolsv.exe
3800	spoolsv.exe
3800	spoolsv.exe
3248	spoolsv.exe
3248	spoolsv.exe
116	spoolsv.exe
116	spoolsv.exe
4304	spoolsv.exe
4304	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
1920	spoolsv.exe
1920	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
3060	spoolsv.exe
3060	spoolsv.exe
1788	spoolsv.exe
1788	spoolsv.exe
1096	spoolsv.exe
1096	spoolsv.exe
844	spoolsv.exe
844	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
2332	spoolsv.exe
2332	spoolsv.exe
4260	spoolsv.exe
4260	spoolsv.exe
4940	spoolsv.exe
4940	spoolsv.exe
1952	spoolsv.exe
1952	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

056756674108530c852acb294836b90b_JaffaCakes118.exe056756674108530c852acb294836b90b_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 212 wrote to memory of 4084	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	splwow64.exe
PID 212 wrote to memory of 4084	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	splwow64.exe
PID 212 wrote to memory of 2036	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
PID 212 wrote to memory of 2036	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
PID 212 wrote to memory of 2036	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
PID 212 wrote to memory of 2036	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
PID 212 wrote to memory of 2036	212	056756674108530c852acb294836b90b_JaffaCakes118.exe	056756674108530c852acb294836b90b_JaffaCakes118.exe
PID 2036 wrote to memory of 1692	2036	056756674108530c852acb294836b90b_JaffaCakes118.exe	explorer.exe
PID 2036 wrote to memory of 1692	2036	056756674108530c852acb294836b90b_JaffaCakes118.exe	explorer.exe
PID 2036 wrote to memory of 1692	2036	056756674108530c852acb294836b90b_JaffaCakes118.exe	explorer.exe
PID 1692 wrote to memory of 1240	1692	explorer.exe	explorer.exe
PID 1692 wrote to memory of 1240	1692	explorer.exe	explorer.exe
PID 1692 wrote to memory of 1240	1692	explorer.exe	explorer.exe
PID 1692 wrote to memory of 1240	1692	explorer.exe	explorer.exe
PID 1692 wrote to memory of 1240	1692	explorer.exe	explorer.exe
PID 1240 wrote to memory of 2252	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 2252	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 2252	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3312	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3312	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3312	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3836	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3836	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3836	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 2756	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 2756	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 2756	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3952	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3952	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3952	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3936	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3936	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3936	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3244	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3244	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 3244	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4000	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4000	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4000	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1464	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1464	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1464	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4904	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4904	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4904	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1044	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1044	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1044	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1980	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1980	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1980	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 640	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 640	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 640	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4264	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4264	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4264	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4612	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4612	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 4612	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 436	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 436	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 436	1240	explorer.exe	spoolsv.exe
PID 1240 wrote to memory of 1012	1240	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\056756674108530c852acb294836b90b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\056756674108530c852acb294836b90b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\056756674108530c852acb294836b90b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\056756674108530c852acb294836b90b_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1692

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2252

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1568

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3768

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3312

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3836

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2756

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:400

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3404

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3936

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4000

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1464

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1520

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4904

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1044

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1980

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1072

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:640

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4264

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4612

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:436

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:116

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5080

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1012

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4592

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3180

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1432

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3700

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4996

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2428

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4800

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4348

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4636

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3148

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2416

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1416

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1600

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4940

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3168

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:408

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1952

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:4456

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4892

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4604

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4152

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3940

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4748

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:396

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2576

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1708

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3396

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3560

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2400

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4080

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:2324

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4736

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:772

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4580

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:2344

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3504

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3564

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:4360

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3860

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2496

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3036

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4720

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3096

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4632

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3280

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
b19ceecf8cf3984e054581a7bc6696e4

SHA1
56b88c56a45bd0dae3b0fd075e2a0147624f66d8

SHA256
62a2daa2a0a1d68e2d6552385f6bbe10f20f3c4e57af9a07e844c48fa92603fd

SHA512
2a08e4fdcfaa73438b608288e9f0b5ddfa6b639e0bdfd592426560970cc21b002e092b6eb4dc1cf803b9474d22cdfbbd2473d17aae732f20e4ec2572cac3a161

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
451797964d1b3965ad021d0450288858

SHA1
a5a182f2298cbf99b2ec6e0f6c43f0adf6b81eaa

SHA256
fd12bc55a2f79e65295a5f9a1eb144cbc56d1bf109598531b509edaf3310f5b5

SHA512
2c9414cd2ec8bafd0c5f4c4c8b74931859b4efbaf88534b3c4fdf9c136252bfeabb2994422df950db6f6ea701eafb27064cedca407c4e2180be7c09fbcedbb1b

Download Submit
memory/116-2589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/116-2753-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/212-48-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/212-0-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/212-43-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/212-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/376-3303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-2043-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-2234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-1783-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/640-1633-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/704-4860-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-1962-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/844-2870-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-1784-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1044-1447-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1096-2860-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-2074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-834-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1432-1896-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1464-1323-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1488-4946-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-4948-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-2020-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-1884-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-2411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-115-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1692-2572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-110-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1708-3958-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-3824-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-2780-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-2703-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-3295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-3421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-4970-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-1448-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2020-4960-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-97-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2036-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-2083-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-1885-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2252-835-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2320-2261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-2264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-3030-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-3026-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-2042-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-2253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2488-2392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-2189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-988-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2756-2044-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2868-2062-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-5270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-5429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-2925-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-2772-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-1883-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3244-1321-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3248-2521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-4878-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-5517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-1897-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3312-986-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3324-2420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-5386-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-5378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-4182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-4069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-1961-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3752-2949-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-2729-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3800-2512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3836-1960-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3836-987-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3860-5127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3860-5250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-1160-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3952-1159-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4000-1322-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4012-3749-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-3746-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-2691-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-2694-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-4595-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-4463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-4306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-4299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-3979-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4260-3038-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-1634-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4304-2597-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-4703-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-5361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-4857-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-5022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-1882-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4604-3507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-3643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-1782-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4748-3661-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-1446-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4940-3120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-3197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-1892-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-3516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-3520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-5340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download