pony | 3b0ad234107d87df6f4e277ef5f0ef9691e2d7344017823e1da9afd30b77c23c

General

Target

69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
Size

2.2MB
MD5

69bd9e7bb6dac3f1b71f49f8c525d5a3
SHA1

a8c7d320fd3cbea9c49042768e39760f8aa04b20
SHA256

3b0ad234107d87df6f4e277ef5f0ef9691e2d7344017823e1da9afd30b77c23c
SHA512

662da8efcc3c6aca087793b5e2a874914255b046ffef4eedac9ce820c3f6d2722fcdd65ab92bb2b2e1e0bb8a4baaf8c30038bea035afc0f582b97e9c7f3f1d67
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZd:0UzeyQMS4DqodCnoe+iitjWwwh

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2436	explorer.exe
2100	explorer.exe
2360	spoolsv.exe
1460	spoolsv.exe
2716	spoolsv.exe
656	spoolsv.exe
1580	spoolsv.exe
1444	spoolsv.exe
2504	spoolsv.exe
2492	spoolsv.exe
2764	spoolsv.exe
2152	spoolsv.exe
1372	spoolsv.exe
2228	spoolsv.exe
1120	spoolsv.exe
1952	spoolsv.exe
1660	spoolsv.exe
2412	spoolsv.exe
2684	spoolsv.exe
2436	spoolsv.exe
2236	spoolsv.exe
2752	spoolsv.exe
968	spoolsv.exe
1976	spoolsv.exe
2644	spoolsv.exe
2536	spoolsv.exe
2552	spoolsv.exe
1456	spoolsv.exe
1416	spoolsv.exe
2960	spoolsv.exe
2004	spoolsv.exe
2300	spoolsv.exe
1204	spoolsv.exe
1364	spoolsv.exe
324	spoolsv.exe
1632	spoolsv.exe
3064	spoolsv.exe
2676	spoolsv.exe
1020	spoolsv.exe
2032	spoolsv.exe
2072	spoolsv.exe
684	spoolsv.exe
2808	spoolsv.exe
2724	spoolsv.exe
2884	spoolsv.exe
1304	spoolsv.exe
1508	spoolsv.exe
1876	spoolsv.exe
1556	spoolsv.exe
888	spoolsv.exe
2580	spoolsv.exe
2632	spoolsv.exe
1076	spoolsv.exe
1736	spoolsv.exe
2428	spoolsv.exe
1560	spoolsv.exe
1596	spoolsv.exe
2388	spoolsv.exe
2064	spoolsv.exe
900	spoolsv.exe
1936	spoolsv.exe
1248	spoolsv.exe
2612	spoolsv.exe
1228	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exeexplorer.exe

pid	process
2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2040 set thread context of 2508	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
PID 2436 set thread context of 2100	2436	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exeexplorer.exe

pid	process
2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2100 explorer.exe

pid	process
2100	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exeexplorer.exe

pid	process
2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2040 wrote to memory of 2584	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	splwow64.exe
PID 2040 wrote to memory of 2584	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	splwow64.exe
PID 2040 wrote to memory of 2584	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	splwow64.exe
PID 2040 wrote to memory of 2584	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	splwow64.exe
PID 2040 wrote to memory of 2508	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
PID 2040 wrote to memory of 2508	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
PID 2040 wrote to memory of 2508	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
PID 2040 wrote to memory of 2508	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
PID 2040 wrote to memory of 2508	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
PID 2040 wrote to memory of 2508	2040	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
PID 2508 wrote to memory of 2436	2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	explorer.exe
PID 2508 wrote to memory of 2436	2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	explorer.exe
PID 2508 wrote to memory of 2436	2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	explorer.exe
PID 2508 wrote to memory of 2436	2508	69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe	explorer.exe
PID 2436 wrote to memory of 2100	2436	explorer.exe	explorer.exe
PID 2436 wrote to memory of 2100	2436	explorer.exe	explorer.exe
PID 2436 wrote to memory of 2100	2436	explorer.exe	explorer.exe
PID 2436 wrote to memory of 2100	2436	explorer.exe	explorer.exe
PID 2436 wrote to memory of 2100	2436	explorer.exe	explorer.exe
PID 2436 wrote to memory of 2100	2436	explorer.exe	explorer.exe
PID 2100 wrote to memory of 2360	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2360	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2360	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2360	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1460	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1460	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1460	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1460	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2716	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2716	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2716	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2716	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 656	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 656	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 656	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 656	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1580	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1580	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1580	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1580	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1444	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1444	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1444	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1444	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2504	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2504	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2504	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2504	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2492	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2492	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2492	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2492	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2764	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2764	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2764	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2764	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2152	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2152	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2152	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 2152	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1372	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1372	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1372	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 1372	2100	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69bd9e7bb6dac3f1b71f49f8c525d5a3_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2360

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2716

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:656

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1580

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1444

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2228

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1120

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4284

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6124

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
1⤵
PID:5124

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
\Windows\system\explorer.exe
Filesize
2.2MB

MD5
df46e2caa018085f06df675ca0a09654

SHA1
d6d2ceccf9ae95924ff33fdf8a40699c711c552a

SHA256
d0ce2e79b41cf0043f1735aa806a2007f43eacf724d10433d78bed313074d597

SHA512
5b9aaf081cb4f7d2114705efd39e6c7f3eefedbd9fb1bdf5ba81fed3c7ceb1396e0636b25da07f9db7ce06f5e92ca8986e0aa640bfa09664771e2b489bee1895

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.2MB

MD5
454d9034198c3929ffc5804c60ba32ed

SHA1
a50cbbaeccd5becd14b4da471284883e6b723d68

SHA256
fe9f4216b6adccd56ad3f26b348a8f65338e11123659318fa2cc747ce7649712

SHA512
a63475412cc0d89b4f1532224bbb25310a79f7f91c40d238597c6ae7133ea04fd46399efcc2127b4077e4dccb91902ff37370b97431e977ac9dc2af86563a66b

Download Submit
memory/656-2776-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/968-3318-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1120-3305-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1372-3303-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1416-3768-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1444-2778-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1456-3767-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1460-2774-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1512-6071-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-2777-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1660-3312-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1952-3306-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1976-3319-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2004-3770-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2040-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2040-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2040-17-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2040-29-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2100-2772-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-3302-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2228-3304-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2236-3316-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2300-3771-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2360-2773-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2412-3313-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2436-42-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2436-62-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2436-72-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2436-3315-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2492-3300-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2504-3294-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2508-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-49-0x0000000000440000-0x000000000051F000-memory.dmp

Filesize
892KB

Download
memory/2508-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-3765-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2552-3766-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2644-3320-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2684-3314-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2716-2775-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2752-3317-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2764-3301-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2960-3769-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3924-6003-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-5993-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads