pony | c0324b59614035be46da5cba82407eb058d78b9aa63a646e26c9bb07fba27c82

Analysis

max time kernel
148s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
Size

2.2MB
MD5

05a74c986cdd416ea1cd8e99aa756c73
SHA1

b74e18934973fe895195e87e7de307827fd9b22f
SHA256

c0324b59614035be46da5cba82407eb058d78b9aa63a646e26c9bb07fba27c82
SHA512

13c09e4b4c52b94c5800e4f4bbfd27b08ac593a13498f155a154597155fc26ee666356583de56f39ab018f145867ec5884504cbaca1f182839aed5be1f5ac7c1
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZR:0UzeyQMS4DqodCnoe+iitjWwwt

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
5040	explorer.exe
2000	explorer.exe
1620	spoolsv.exe
1704	spoolsv.exe
4916	spoolsv.exe
3492	spoolsv.exe
2880	spoolsv.exe
4120	spoolsv.exe
2976	spoolsv.exe
4536	spoolsv.exe
1128	spoolsv.exe
3424	spoolsv.exe
3024	spoolsv.exe
4376	spoolsv.exe
1000	spoolsv.exe
4860	spoolsv.exe
3656	spoolsv.exe
1164	spoolsv.exe
1100	spoolsv.exe
4628	spoolsv.exe
1284	spoolsv.exe
868	spoolsv.exe
2856	spoolsv.exe
5012	spoolsv.exe
2296	spoolsv.exe
3040	spoolsv.exe
5080	spoolsv.exe
3552	spoolsv.exe
3076	spoolsv.exe
4136	spoolsv.exe
1784	spoolsv.exe
4984	spoolsv.exe
1584	spoolsv.exe
2980	explorer.exe
2308	spoolsv.exe
1676	spoolsv.exe
220	spoolsv.exe
1800	spoolsv.exe
2504	spoolsv.exe
4804	spoolsv.exe
2684	explorer.exe
3000	spoolsv.exe
540	spoolsv.exe
1212	spoolsv.exe
3628	spoolsv.exe
4836	spoolsv.exe
2868	explorer.exe
2492	spoolsv.exe
3608	spoolsv.exe
4560	spoolsv.exe
1848	spoolsv.exe
4780	spoolsv.exe
4016	spoolsv.exe
3912	explorer.exe
4712	spoolsv.exe
1008	spoolsv.exe
3568	spoolsv.exe
3508	spoolsv.exe
4044	spoolsv.exe
8	spoolsv.exe
1892	explorer.exe
212	spoolsv.exe
4820	spoolsv.exe
4728	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 54 IoCs

Processes:

05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4404 set thread context of 4480	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
PID 5040 set thread context of 2000	5040	explorer.exe	explorer.exe
PID 1620 set thread context of 1584	1620	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 2308	1704	spoolsv.exe	spoolsv.exe
PID 4916 set thread context of 1676	4916	spoolsv.exe	spoolsv.exe
PID 3492 set thread context of 220	3492	spoolsv.exe	spoolsv.exe
PID 2880 set thread context of 1800	2880	spoolsv.exe	spoolsv.exe
PID 4120 set thread context of 4804	4120	spoolsv.exe	spoolsv.exe
PID 2976 set thread context of 3000	2976	spoolsv.exe	spoolsv.exe
PID 1128 set thread context of 1212	1128	spoolsv.exe	spoolsv.exe
PID 3424 set thread context of 4836	3424	spoolsv.exe	spoolsv.exe
PID 3024 set thread context of 2492	3024	spoolsv.exe	spoolsv.exe
PID 4376 set thread context of 3608	4376	spoolsv.exe	spoolsv.exe
PID 1000 set thread context of 4560	1000	spoolsv.exe	spoolsv.exe
PID 4860 set thread context of 4780	4860	spoolsv.exe	spoolsv.exe
PID 3656 set thread context of 4016	3656	spoolsv.exe	spoolsv.exe
PID 1164 set thread context of 4712	1164	spoolsv.exe	spoolsv.exe
PID 1100 set thread context of 1008	1100	spoolsv.exe	spoolsv.exe
PID 4628 set thread context of 3508	4628	spoolsv.exe	spoolsv.exe
PID 1284 set thread context of 4044	1284	spoolsv.exe	spoolsv.exe
PID 868 set thread context of 8	868	spoolsv.exe	spoolsv.exe
PID 2856 set thread context of 212	2856	spoolsv.exe	spoolsv.exe
PID 5012 set thread context of 4820	5012	spoolsv.exe	spoolsv.exe
PID 2296 set thread context of 5040	2296	spoolsv.exe	spoolsv.exe
PID 3040 set thread context of 3840	3040	spoolsv.exe	spoolsv.exe
PID 5080 set thread context of 1708	5080	spoolsv.exe	spoolsv.exe
PID 3552 set thread context of 5108	3552	spoolsv.exe	spoolsv.exe
PID 3076 set thread context of 2476	3076	spoolsv.exe	spoolsv.exe
PID 4136 set thread context of 4968	4136	spoolsv.exe	spoolsv.exe
PID 1784 set thread context of 3140	1784	spoolsv.exe	spoolsv.exe
PID 2980 set thread context of 4104	2980	explorer.exe	explorer.exe
PID 4984 set thread context of 1404	4984	spoolsv.exe	spoolsv.exe
PID 2504 set thread context of 1648	2504	spoolsv.exe	spoolsv.exe
PID 2684 set thread context of 4392	2684	explorer.exe	explorer.exe
PID 3628 set thread context of 2068	3628	spoolsv.exe	spoolsv.exe
PID 2868 set thread context of 2732	2868	explorer.exe	explorer.exe
PID 1848 set thread context of 2824	1848	spoolsv.exe	spoolsv.exe
PID 3912 set thread context of 4912	3912	explorer.exe	explorer.exe
PID 3568 set thread context of 2528	3568	spoolsv.exe	spoolsv.exe
PID 1892 set thread context of 884	1892	explorer.exe	explorer.exe
PID 4728 set thread context of 2488	4728	spoolsv.exe	spoolsv.exe
PID 1628 set thread context of 3748	1628	explorer.exe	explorer.exe
PID 3404 set thread context of 716	3404	spoolsv.exe	spoolsv.exe
PID 4972 set thread context of 3616	4972	explorer.exe	explorer.exe
PID 1928 set thread context of 4632	1928	spoolsv.exe	spoolsv.exe
PID 4572 set thread context of 2816	4572	spoolsv.exe	spoolsv.exe
PID 4756 set thread context of 2508	4756	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 4152	1248	explorer.exe	explorer.exe
PID 1564 set thread context of 2736	1564	spoolsv.exe	spoolsv.exe
PID 4856 set thread context of 1156	4856	spoolsv.exe	spoolsv.exe
PID 2100 set thread context of 2692	2100	spoolsv.exe	spoolsv.exe
PID 1696 set thread context of 3640	1696	explorer.exe	explorer.exe
PID 232 set thread context of 4036	232	spoolsv.exe	spoolsv.exe
PID 3968 set thread context of 3752	3968	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exe05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exeexplorer.exe

pid	process
4480	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
4480	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2000 explorer.exe

pid	process
2000	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4480	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
4480	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
2000	explorer.exe
1584	spoolsv.exe
1584	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
1676	spoolsv.exe
1676	spoolsv.exe
220	spoolsv.exe
220	spoolsv.exe
1800	spoolsv.exe
1800	spoolsv.exe
4804	spoolsv.exe
4804	spoolsv.exe
3000	spoolsv.exe
3000	spoolsv.exe
540	spoolsv.exe
540	spoolsv.exe
1212	spoolsv.exe
1212	spoolsv.exe
4836	spoolsv.exe
4836	spoolsv.exe
2492	spoolsv.exe
2492	spoolsv.exe
3608	spoolsv.exe
3608	spoolsv.exe
4560	spoolsv.exe
4560	spoolsv.exe
4780	spoolsv.exe
4780	spoolsv.exe
4016	spoolsv.exe
4016	spoolsv.exe
4712	spoolsv.exe
4712	spoolsv.exe
1008	spoolsv.exe
1008	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
4044	spoolsv.exe
4044	spoolsv.exe
8	spoolsv.exe
8	spoolsv.exe
212	spoolsv.exe
212	spoolsv.exe
4820	spoolsv.exe
4820	spoolsv.exe
5040	spoolsv.exe
5040	spoolsv.exe
3840	spoolsv.exe
3840	spoolsv.exe
1708	spoolsv.exe
1708	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
2476	spoolsv.exe
2476	spoolsv.exe
4968	spoolsv.exe
4968	spoolsv.exe
3140	spoolsv.exe
3140	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4404 wrote to memory of 1020	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	splwow64.exe
PID 4404 wrote to memory of 1020	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	splwow64.exe
PID 4404 wrote to memory of 4480	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
PID 4404 wrote to memory of 4480	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
PID 4404 wrote to memory of 4480	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
PID 4404 wrote to memory of 4480	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
PID 4404 wrote to memory of 4480	4404	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
PID 4480 wrote to memory of 5040	4480	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	explorer.exe
PID 4480 wrote to memory of 5040	4480	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	explorer.exe
PID 4480 wrote to memory of 5040	4480	05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe	explorer.exe
PID 5040 wrote to memory of 2000	5040	explorer.exe	explorer.exe
PID 5040 wrote to memory of 2000	5040	explorer.exe	explorer.exe
PID 5040 wrote to memory of 2000	5040	explorer.exe	explorer.exe
PID 5040 wrote to memory of 2000	5040	explorer.exe	explorer.exe
PID 5040 wrote to memory of 2000	5040	explorer.exe	explorer.exe
PID 2000 wrote to memory of 1620	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1620	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1620	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1704	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1704	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1704	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4916	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4916	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4916	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3492	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3492	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3492	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 2880	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 2880	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 2880	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4120	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4120	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4120	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 2976	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 2976	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 2976	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4536	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4536	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4536	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1128	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1128	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1128	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3424	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3424	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3424	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3024	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3024	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3024	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4376	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4376	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4376	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1000	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1000	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1000	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4860	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4860	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 4860	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3656	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3656	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 3656	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1164	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1164	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1164	2000	explorer.exe	spoolsv.exe
PID 2000 wrote to memory of 1100	2000	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05a74c986cdd416ea1cd8e99aa756c73_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1620

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2980

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1704

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4916

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3492

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2880

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4120

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4804

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2684

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2976

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4536

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1128

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3424

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4836

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2868

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3024

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4376

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1000

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4860

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3656

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3912

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1164

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1100

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4628

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1284

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:868

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1892

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2856

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5012

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2296

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3040

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3840

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:1628

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5080

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3552

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3076

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4136

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4968

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4972

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1784

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4984

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1404

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:1248

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2504

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1648

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1696

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3628

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2068

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1848

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2824

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3568

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2528

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4728

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2488

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:3404

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:716

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1928

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4572

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4756

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2508

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1564

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:4856

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2100

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2692

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:232

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3968

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
8224caff2fa5edd325a34485e7968c21

SHA1
e3bee74d9fe66b366dc15c516512a5cdaf40fe70

SHA256
db66e224e8650604b8162b60d652bb610f15731c107efc02a46d5ff51d61d082

SHA512
a5c8dcc87f690ae3c25ae64d67db5f1b6e2bf59c7536ba643218ee2490167c4e1439e5afcad9b440b246fa1db2432d01cd834fce07c9e75b799a8eb44ca9fb36

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
b6a4d446c895a23efd5134c9ef01aa6f

SHA1
63566d57c495380b5a28f83b28315f52b51068e6

SHA256
ee8018337a64a45255c66fb4a7859f60aaefdd9ef28ff4bdcb1f6bf8a89e58ee

SHA512
1a35df4785b37e526dade414b7efd0233f6d5120d9839c1baff284b0d0a2ae7ca1aacc8241fe9b86b23699d62d30f2c7bbb82328972bfeeccdef29b804a55e20

Download Submit
memory/8-2744-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/8-2583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/212-2592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-1911-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-2059-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/716-4714-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-1887-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/884-4362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-1613-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1008-2445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-1755-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1128-1289-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1156-4910-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1164-1754-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1212-2074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1212-2077-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1284-1879-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1404-3378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-1880-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-1965-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-1872-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1620-757-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1648-3527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-3643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-1899-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1704-935-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1704-1890-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1708-2769-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-1974-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-756-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2068-3775-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2068-3903-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-1910-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2308-1888-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2488-4556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2488-4682-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-2241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-5027-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-4880-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-4405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-4339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-5197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-5048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-3786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-3783-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-4897-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-4100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-4001-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-1898-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2880-1133-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2976-1135-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3000-2052-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-1443-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3140-2959-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3424-1442-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3492-1907-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3492-937-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3508-2521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-4723-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-5059-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3656-1615-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3748-4569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-5138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-2761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-2932-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-2426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-2565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-5070-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-5066-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-3247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-1134-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4152-4891-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-1444-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4392-3536-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4404-0-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4404-23-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4404-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4480-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-1284-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4560-2262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-1756-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4632-4732-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-2433-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-2435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-2364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-2372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4804-2042-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4804-2205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-2602-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-2233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-1614-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4912-4109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-936-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4916-1900-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4968-3098-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-2951-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-1909-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5040-74-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5040-79-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5040-2668-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-2778-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download