pony | 9fbb0b0fc9fa43defb985665b4cde0b93f327a45e316d21385645360965f921f

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
Size

2.2MB
MD5

63e4623a155c81cd49f0b25ae029bee9
SHA1

710e03ae368be2c47bca3f52b5c7aa6e71a9c9c2
SHA256

9fbb0b0fc9fa43defb985665b4cde0b93f327a45e316d21385645360965f921f
SHA512

9a1efc5ac811768a78349379e0919d4a1538ad581223b4f93d257194e3eeaafab77fc34665d412c1510e4c97d9d686ffee9952d42dca3b3d57e90920b19e1f81
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZF:0UzeyQMS4DqodCnoe+iitjWwwB

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2036	explorer.exe
4480	explorer.exe
1128	spoolsv.exe
4264	spoolsv.exe
1388	spoolsv.exe
4084	spoolsv.exe
3704	spoolsv.exe
4756	spoolsv.exe
1776	spoolsv.exe
2112	spoolsv.exe
716	spoolsv.exe
4244	spoolsv.exe
3132	spoolsv.exe
4792	spoolsv.exe
4392	spoolsv.exe
4596	spoolsv.exe
2372	spoolsv.exe
2684	spoolsv.exe
348	spoolsv.exe
3864	spoolsv.exe
3672	spoolsv.exe
1016	spoolsv.exe
4600	spoolsv.exe
1752	spoolsv.exe
3584	spoolsv.exe
2884	spoolsv.exe
3076	spoolsv.exe
4516	spoolsv.exe
1348	spoolsv.exe
4972	spoolsv.exe
3140	spoolsv.exe
1548	spoolsv.exe
2116	explorer.exe
2256	spoolsv.exe
452	spoolsv.exe
3608	spoolsv.exe
888	spoolsv.exe
4572	explorer.exe
4636	spoolsv.exe
4816	spoolsv.exe
3544	spoolsv.exe
4856	spoolsv.exe
4460	spoolsv.exe
3164	spoolsv.exe
2224	spoolsv.exe
2204	spoolsv.exe
4940	explorer.exe
1136	spoolsv.exe
4068	spoolsv.exe
1040	spoolsv.exe
2840	spoolsv.exe
4044	explorer.exe
4928	spoolsv.exe
3716	spoolsv.exe
2948	spoolsv.exe
4428	spoolsv.exe
4968	spoolsv.exe
4336	explorer.exe
2212	spoolsv.exe
2232	spoolsv.exe
1172	spoolsv.exe
4956	spoolsv.exe
5080	spoolsv.exe
4872	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 41 IoCs

Processes:

63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 3420 set thread context of 4556	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
PID 2036 set thread context of 4480	2036	explorer.exe	explorer.exe
PID 1128 set thread context of 1548	1128	spoolsv.exe	spoolsv.exe
PID 4264 set thread context of 452	4264	spoolsv.exe	spoolsv.exe
PID 1388 set thread context of 3608	1388	spoolsv.exe	spoolsv.exe
PID 4084 set thread context of 888	4084	spoolsv.exe	spoolsv.exe
PID 3704 set thread context of 4636	3704	spoolsv.exe	spoolsv.exe
PID 4756 set thread context of 3544	4756	spoolsv.exe	spoolsv.exe
PID 1776 set thread context of 4856	1776	spoolsv.exe	spoolsv.exe
PID 2112 set thread context of 4460	2112	spoolsv.exe	spoolsv.exe
PID 716 set thread context of 3164	716	spoolsv.exe	spoolsv.exe
PID 4244 set thread context of 2204	4244	spoolsv.exe	spoolsv.exe
PID 3132 set thread context of 1136	3132	spoolsv.exe	spoolsv.exe
PID 4792 set thread context of 4068	4792	spoolsv.exe	spoolsv.exe
PID 4392 set thread context of 2840	4392	spoolsv.exe	spoolsv.exe
PID 4596 set thread context of 4928	4596	spoolsv.exe	spoolsv.exe
PID 2372 set thread context of 3716	2372	spoolsv.exe	spoolsv.exe
PID 2684 set thread context of 2948	2684	spoolsv.exe	spoolsv.exe
PID 348 set thread context of 4968	348	spoolsv.exe	spoolsv.exe
PID 3864 set thread context of 2212	3864	spoolsv.exe	spoolsv.exe
PID 3672 set thread context of 2232	3672	spoolsv.exe	spoolsv.exe
PID 1016 set thread context of 1172	1016	spoolsv.exe	spoolsv.exe
PID 4600 set thread context of 4956	4600	spoolsv.exe	spoolsv.exe
PID 1752 set thread context of 4872	1752	spoolsv.exe	spoolsv.exe
PID 3584 set thread context of 856	3584	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 4796	2884	spoolsv.exe	spoolsv.exe
PID 3076 set thread context of 3652	3076	spoolsv.exe	spoolsv.exe
PID 4516 set thread context of 4736	4516	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 3640	1348	spoolsv.exe	spoolsv.exe
PID 4972 set thread context of 912	4972	spoolsv.exe	spoolsv.exe
PID 3140 set thread context of 968	3140	spoolsv.exe	spoolsv.exe
PID 2116 set thread context of 1404	2116	explorer.exe	explorer.exe
PID 2256 set thread context of 640	2256	spoolsv.exe	spoolsv.exe
PID 4572 set thread context of 1456	4572	explorer.exe	explorer.exe
PID 4816 set thread context of 3448	4816	spoolsv.exe	spoolsv.exe
PID 2224 set thread context of 5816	2224	spoolsv.exe	spoolsv.exe
PID 4940 set thread context of 5900	4940	explorer.exe	explorer.exe
PID 4044 set thread context of 5324	4044	explorer.exe	explorer.exe
PID 1040 set thread context of 5432	1040	spoolsv.exe	spoolsv.exe
PID 4428 set thread context of 1900	4428	spoolsv.exe	spoolsv.exe
PID 4336 set thread context of 2996	4336	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exeexplorer.exe

pid	process
4556	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
4556	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4480 explorer.exe

pid	process
4480	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4556	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
4556	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
4480	explorer.exe
1548	spoolsv.exe
1548	spoolsv.exe
452	spoolsv.exe
452	spoolsv.exe
3608	spoolsv.exe
3608	spoolsv.exe
888	spoolsv.exe
888	spoolsv.exe
4636	spoolsv.exe
4636	spoolsv.exe
3544	spoolsv.exe
3544	spoolsv.exe
4856	spoolsv.exe
4856	spoolsv.exe
4460	spoolsv.exe
4460	spoolsv.exe
3164	spoolsv.exe
3164	spoolsv.exe
2204	spoolsv.exe
2204	spoolsv.exe
1136	spoolsv.exe
1136	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
2840	spoolsv.exe
2840	spoolsv.exe
4928	spoolsv.exe
4928	spoolsv.exe
3716	spoolsv.exe
3716	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
4968	spoolsv.exe
4968	spoolsv.exe
2212	spoolsv.exe
2212	spoolsv.exe
2232	spoolsv.exe
2232	spoolsv.exe
1172	spoolsv.exe
1172	spoolsv.exe
4956	spoolsv.exe
4956	spoolsv.exe
4872	spoolsv.exe
4872	spoolsv.exe
856	spoolsv.exe
856	spoolsv.exe
4796	spoolsv.exe
4796	spoolsv.exe
3652	spoolsv.exe
3652	spoolsv.exe
4736	spoolsv.exe
4736	spoolsv.exe
3640	spoolsv.exe
3640	spoolsv.exe
912	spoolsv.exe
912	spoolsv.exe
968	spoolsv.exe
968	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3420 wrote to memory of 3604	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	splwow64.exe
PID 3420 wrote to memory of 3604	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	splwow64.exe
PID 3420 wrote to memory of 4556	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
PID 3420 wrote to memory of 4556	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
PID 3420 wrote to memory of 4556	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
PID 3420 wrote to memory of 4556	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
PID 3420 wrote to memory of 4556	3420	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
PID 4556 wrote to memory of 2036	4556	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	explorer.exe
PID 4556 wrote to memory of 2036	4556	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	explorer.exe
PID 4556 wrote to memory of 2036	4556	63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe	explorer.exe
PID 2036 wrote to memory of 4480	2036	explorer.exe	explorer.exe
PID 2036 wrote to memory of 4480	2036	explorer.exe	explorer.exe
PID 2036 wrote to memory of 4480	2036	explorer.exe	explorer.exe
PID 2036 wrote to memory of 4480	2036	explorer.exe	explorer.exe
PID 2036 wrote to memory of 4480	2036	explorer.exe	explorer.exe
PID 4480 wrote to memory of 1128	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1128	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1128	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4264	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4264	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4264	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1388	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1388	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1388	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4084	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4084	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4084	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 3704	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 3704	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 3704	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4756	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4756	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4756	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1776	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1776	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 1776	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2112	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2112	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2112	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 716	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 716	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 716	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4244	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4244	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4244	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 3132	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 3132	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 3132	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4792	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4792	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4792	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4392	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4392	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4392	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4596	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4596	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 4596	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2372	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2372	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2372	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2684	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2684	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 2684	4480	explorer.exe	spoolsv.exe
PID 4480 wrote to memory of 348	4480	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63e4623a155c81cd49f0b25ae029bee9_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2036

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1128

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2116

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4264

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1388

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4084

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:888

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4572

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3704

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4756

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1776

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2112

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:716

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4940

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3132

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4792

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4392

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4044

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4596

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2372

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2684

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:348

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4968

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4336

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3864

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3672

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1016

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4600

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1752

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3584

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:856

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4448

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2884

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3076

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4516

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1348

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4972

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:912

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2332

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3140

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2256

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:640

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:696

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4816

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3448

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4520

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2224

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5816

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1040

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5432

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4428

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1900

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5080

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5592

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4116

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5356

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4300

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1704

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1932

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:916

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4416

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2364

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1984

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1000

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2976

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5216

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:6076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
7696594ec87bf910f50a1f7e9d492564

SHA1
20b54e27ddf2ff68432655d4d3ca9a789248fce3

SHA256
c574a8b53fa0c775f53208d9f414ee2c9afc9816bb81c592968f869c4d064a1a

SHA512
af446c3b7819953d6a2becc9694c4b830dd88104ec815c3a128f0c5437247dfa18276a83cdc191bab7cf12ae16d325b1660d577c3f9704d51eff716c7989b314

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
9fa1bfcff5b137a7f8c97d04735e9d1b

SHA1
b5aec69404ce0383b969a836962a83c27d5c98a5

SHA256
c098e0486b31b916c804767f4a1f3aa2b7a9f57a1db9cdc8c6801def73d829e2

SHA512
b9bba5f299e2e92951043a31fe6e6a0b5494b265cda5833e15518b9084d219a30899f865d1a3666437ee1bacd4aaa9bdcd523c2e04b2927f9cb434b4b38f6ed5

Download Submit
memory/348-1870-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/452-1968-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-5035-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-3372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/716-1252-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/856-2808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-2230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-2037-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-2973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-3087-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-2981-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-2984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-1967-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1028-4800-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-808-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1128-1874-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1136-2337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-2649-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-952-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1388-1977-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1404-3241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1456-3571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-1873-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-2029-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-2036-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1776-1250-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1900-4569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1900-4474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2036-90-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2112-1251-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2204-2328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-2641-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-1785-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2684-1786-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2840-2498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-5230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-4482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-4486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-1441-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3164-2194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3420-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3420-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3420-47-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3420-43-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3420-4920-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-3709-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-2164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3608-1979-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-2841-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-2824-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-1872-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3704-1119-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3716-2517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3864-1871-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4068-2350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-953-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4244-1440-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4264-951-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4264-1970-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4392-1611-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4400-4643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-4641-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-5207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-5017-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-2184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-807-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-77-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4556-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-1612-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4600-1978-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4636-2056-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4736-2834-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4756-1120-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4792-1610-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4796-2817-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-2176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-2740-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-2507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-2660-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-2774-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-2623-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5324-4158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5356-4918-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5356-4790-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5432-4276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-5043-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-5045-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5592-4629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5688-5239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5816-3801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5816-3918-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5892-5248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5900-3810-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download