pony | 04fc5595caab211a75842fdc72527cd755491ddeb1f86294970260bd65697777

Analysis

max time kernel
122s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
Size

2.2MB
MD5

683cc9d33359e0ad9ce35333f03f548b
SHA1

d30ddeaa13a078fb8f80325775d6c025f2393bd3
SHA256

04fc5595caab211a75842fdc72527cd755491ddeb1f86294970260bd65697777
SHA512

62c5e906c7abd7db8982198ee45cbc8425a8f13dfbe65534c38a8f683c945a19dbf12db4a8b1f0088bd0830adc29ef46b112e21a17a315c3f2eb69ba6cff041d
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwC

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2008	explorer.exe
2012	explorer.exe
1180	spoolsv.exe
3228	spoolsv.exe
5060	spoolsv.exe
2984	spoolsv.exe
2732	spoolsv.exe
3632	spoolsv.exe
2480	spoolsv.exe
1856	spoolsv.exe
2556	spoolsv.exe
1988	spoolsv.exe
2920	spoolsv.exe
968	spoolsv.exe
4532	spoolsv.exe
4480	spoolsv.exe
4440	spoolsv.exe
2032	spoolsv.exe
4772	spoolsv.exe
3912	spoolsv.exe
4728	spoolsv.exe
548	spoolsv.exe
4348	spoolsv.exe
3952	spoolsv.exe
3692	spoolsv.exe
2948	spoolsv.exe
4316	spoolsv.exe
4416	spoolsv.exe
3800	spoolsv.exe
4564	spoolsv.exe
1496	spoolsv.exe
408	spoolsv.exe
5172	spoolsv.exe
5452	spoolsv.exe
5776	spoolsv.exe
5128	spoolsv.exe
5240	spoolsv.exe
5344	spoolsv.exe
5384	explorer.exe
5440	spoolsv.exe
5544	spoolsv.exe
5612	spoolsv.exe
5684	spoolsv.exe
6032	spoolsv.exe
6016	spoolsv.exe
6128	spoolsv.exe
3236	spoolsv.exe
5012	explorer.exe
3300	spoolsv.exe
2512	spoolsv.exe
5700	spoolsv.exe
3068	spoolsv.exe
5984	spoolsv.exe
6092	spoolsv.exe
2252	spoolsv.exe
5300	spoolsv.exe
1592	explorer.exe
5468	spoolsv.exe
2748	spoolsv.exe
5524	spoolsv.exe
5724	spoolsv.exe
5800	spoolsv.exe
3324	spoolsv.exe
6056	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 40 IoCs

Processes:

683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 3008 set thread context of 440	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
PID 2008 set thread context of 2012	2008	explorer.exe	explorer.exe
PID 1180 set thread context of 5344	1180	spoolsv.exe	spoolsv.exe
PID 3228 set thread context of 5440	3228	spoolsv.exe	spoolsv.exe
PID 5060 set thread context of 5544	5060	spoolsv.exe	spoolsv.exe
PID 2984 set thread context of 5612	2984	spoolsv.exe	spoolsv.exe
PID 2732 set thread context of 5684	2732	spoolsv.exe	spoolsv.exe
PID 3632 set thread context of 6016	3632	spoolsv.exe	spoolsv.exe
PID 2480 set thread context of 6128	2480	spoolsv.exe	spoolsv.exe
PID 1856 set thread context of 3236	1856	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 3300	2556	spoolsv.exe	spoolsv.exe
PID 1988 set thread context of 2512	1988	spoolsv.exe	spoolsv.exe
PID 2920 set thread context of 5700	2920	spoolsv.exe	spoolsv.exe
PID 968 set thread context of 5984	968	spoolsv.exe	spoolsv.exe
PID 4532 set thread context of 6092	4532	spoolsv.exe	spoolsv.exe
PID 4480 set thread context of 2252	4480	spoolsv.exe	spoolsv.exe
PID 4440 set thread context of 5300	4440	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 5468	2032	spoolsv.exe	spoolsv.exe
PID 4772 set thread context of 2748	4772	spoolsv.exe	spoolsv.exe
PID 3912 set thread context of 5524	3912	spoolsv.exe	spoolsv.exe
PID 4728 set thread context of 5800	4728	spoolsv.exe	spoolsv.exe
PID 548 set thread context of 3324	548	spoolsv.exe	spoolsv.exe
PID 4348 set thread context of 6056	4348	spoolsv.exe	spoolsv.exe
PID 3952 set thread context of 3636	3952	spoolsv.exe	spoolsv.exe
PID 3692 set thread context of 6100	3692	spoolsv.exe	spoolsv.exe
PID 2948 set thread context of 4344	2948	spoolsv.exe	spoolsv.exe
PID 4316 set thread context of 4936	4316	spoolsv.exe	spoolsv.exe
PID 4416 set thread context of 5556	4416	spoolsv.exe	spoolsv.exe
PID 3800 set thread context of 4980	3800	spoolsv.exe	spoolsv.exe
PID 4564 set thread context of 5668	4564	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 2312	1496	spoolsv.exe	spoolsv.exe
PID 408 set thread context of 384	408	spoolsv.exe	spoolsv.exe
PID 5172 set thread context of 2776	5172	spoolsv.exe	spoolsv.exe
PID 5452 set thread context of 1372	5452	spoolsv.exe	spoolsv.exe
PID 5776 set thread context of 5152	5776	spoolsv.exe	spoolsv.exe
PID 5128 set thread context of 5712	5128	spoolsv.exe	spoolsv.exe
PID 5240 set thread context of 1400	5240	spoolsv.exe	spoolsv.exe
PID 5384 set thread context of 5708	5384	explorer.exe	explorer.exe
PID 6032 set thread context of 6096	6032	spoolsv.exe	spoolsv.exe
PID 5012 set thread context of 5280	5012	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exeexplorer.exe

pid	process
440	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
440	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2012 explorer.exe

pid	process
2012	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
440	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
440	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
5344	spoolsv.exe
5344	spoolsv.exe
5440	spoolsv.exe
5440	spoolsv.exe
5544	spoolsv.exe
5544	spoolsv.exe
5612	spoolsv.exe
5612	spoolsv.exe
5684	spoolsv.exe
5684	spoolsv.exe
6016	spoolsv.exe
6016	spoolsv.exe
6128	spoolsv.exe
6128	spoolsv.exe
3236	spoolsv.exe
3236	spoolsv.exe
3300	spoolsv.exe
3300	spoolsv.exe
2512	spoolsv.exe
2512	spoolsv.exe
5700	spoolsv.exe
5700	spoolsv.exe
5984	spoolsv.exe
5984	spoolsv.exe
6092	spoolsv.exe
6092	spoolsv.exe
2252	spoolsv.exe
2252	spoolsv.exe
5300	spoolsv.exe
5300	spoolsv.exe
5468	spoolsv.exe
5468	spoolsv.exe
2748	spoolsv.exe
2748	spoolsv.exe
5524	spoolsv.exe
5524	spoolsv.exe
5800	spoolsv.exe
5800	spoolsv.exe
3324	spoolsv.exe
3324	spoolsv.exe
6056	spoolsv.exe
6056	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
6100	spoolsv.exe
6100	spoolsv.exe
4344	spoolsv.exe
4344	spoolsv.exe
4936	spoolsv.exe
4936	spoolsv.exe
5556	spoolsv.exe
5556	spoolsv.exe
4980	spoolsv.exe
4980	spoolsv.exe
5668	spoolsv.exe
5668	spoolsv.exe
2312	spoolsv.exe
2312	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3008 wrote to memory of 4792	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	splwow64.exe
PID 3008 wrote to memory of 4792	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	splwow64.exe
PID 3008 wrote to memory of 440	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
PID 3008 wrote to memory of 440	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
PID 3008 wrote to memory of 440	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
PID 3008 wrote to memory of 440	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
PID 3008 wrote to memory of 440	3008	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
PID 440 wrote to memory of 2008	440	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	explorer.exe
PID 440 wrote to memory of 2008	440	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	explorer.exe
PID 440 wrote to memory of 2008	440	683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe	explorer.exe
PID 2008 wrote to memory of 2012	2008	explorer.exe	explorer.exe
PID 2008 wrote to memory of 2012	2008	explorer.exe	explorer.exe
PID 2008 wrote to memory of 2012	2008	explorer.exe	explorer.exe
PID 2008 wrote to memory of 2012	2008	explorer.exe	explorer.exe
PID 2008 wrote to memory of 2012	2008	explorer.exe	explorer.exe
PID 2012 wrote to memory of 1180	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1180	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1180	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 3228	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 3228	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 3228	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 5060	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 5060	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 5060	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2984	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2984	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2984	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2732	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2732	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2732	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 3632	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 3632	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 3632	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2480	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2480	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2480	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1856	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1856	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1856	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2556	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2556	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2556	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1988	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1988	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 1988	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2920	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2920	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2920	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 968	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 968	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 968	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4532	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4532	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4532	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4480	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4480	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4480	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4440	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4440	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4440	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2032	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2032	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 2032	2012	explorer.exe	spoolsv.exe
PID 2012 wrote to memory of 4772	2012	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\683cc9d33359e0ad9ce35333f03f548b_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:440

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1180

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5344

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5384

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3228

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5060

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2984

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2732

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3632

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2480

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1856

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3236

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5012

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2556

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2920

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:968

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4532

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4480

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4440

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5300

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1592

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2032

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4772

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3912

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4728

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:548

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4348

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3692

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:6100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2948

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4316

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4936

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4240

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4416

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3800

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4564

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1496

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:408

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:384

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5948

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5172

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5452

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5776

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5128

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5712

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5884

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5240

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1400

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4072

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6032

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6096

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3244

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3068

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6004

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5724

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3232

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2472

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2124

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1732

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4988

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5968

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5296

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:784

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3064

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5972

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5828

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2696

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5376

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5444

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5124

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2100

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5248

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4044

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:512

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
5dd51a7b24433938271e047935ff5c86

SHA1
4924ba7034e104353d7f31b4f1f9d05028a7e661

SHA256
0ba69c9e422749140e2506b7a3f9e0c0e0b00c147e9906fd953bf754073bca06

SHA512
e31ad2d7fb28de935a843ab05858b3c98430b2d4f71d176209293263c8ebb1ee2db6454da6dfd9e8ef9b4a386b66d9c38b76439577a4ef1e9ef3a58095594a99

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
b8aaed00cd269335ec3fcb5396fd5864

SHA1
98ddec27ed80857f480682276cb11ffc59ac17e9

SHA256
59ec66f49e4439eb7e5b66674e401228394cf2f4e03bbc7189389004c373f202

SHA512
d5263df1ecf493e94feba4445645e1b8c4295b12e468694e69457d1f5586dad7fadcefe5db2f3048caa91005d15703e2e9834b50579917e4fd51087043dd53d5

Download Submit
memory/384-3385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/384-3571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-2292-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/728-6731-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-1843-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1180-2415-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1180-1065-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1372-3403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-4138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-5816-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-5808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-1467-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1988-1674-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2008-79-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2008-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2012-1064-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-2060-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2088-6530-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-6279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-6400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-2772-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-3293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-1466-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2512-2661-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-1673-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2732-1464-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2748-2870-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-3394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-1675-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2948-2425-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2984-1258-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3008-36-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3008-42-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3008-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3008-38-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3228-2426-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3228-1256-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3232-5858-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-5741-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-2831-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-2639-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3300-2649-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-2974-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3632-1465-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3636-2995-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-2413-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3912-2290-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3952-2412-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4032-6607-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-6746-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4128-6625-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-2433-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4344-3039-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-2293-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4440-1846-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4480-1845-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4532-1844-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4728-2291-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4772-2061-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4780-6509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-3179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-3339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-6638-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-3202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-6496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-6573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-1257-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5060-2436-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5152-3412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5280-4708-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5300-2850-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5344-2621-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5344-2414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5408-6518-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-2421-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/5440-2423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5464-6756-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5468-2859-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5524-2879-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5544-2434-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5556-3190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-2446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5668-3210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5684-2457-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5696-6556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5700-2670-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5708-4304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5712-3707-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5712-3578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6004-5130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6008-6343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6016-2521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6056-2982-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6056-2987-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6092-2762-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6092-2759-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6096-4577-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6100-3005-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6108-6844-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6108-6847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6128-2547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download