pony | 5aba1a59d42a67e660bf4200acd9acab7703b63708f32d63607b85fe8e80692b

Analysis

max time kernel
130s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
Size

2.2MB
MD5

6a3e26d18d3300e4251f065a6d82bb45
SHA1

d3a3ac09a78acec27373f1c7cce5d2aa2bfecb16
SHA256

5aba1a59d42a67e660bf4200acd9acab7703b63708f32d63607b85fe8e80692b
SHA512

1b14a819aad9b1836e8ebbc52efdabfdb4fd6dd6e9c2222b654d614dad1aba609998e28f8c4907d015ed7822188f2099c5fe91bd65d9a39545df059333127490
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWwws

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

pid	process
4764	explorer.exe
472	explorer.exe
2120	spoolsv.exe
3408	spoolsv.exe
3572	spoolsv.exe
2560	spoolsv.exe
848	spoolsv.exe
3796	spoolsv.exe
4372	spoolsv.exe
2712	spoolsv.exe
2292	spoolsv.exe
1544	spoolsv.exe
4432	spoolsv.exe
4400	spoolsv.exe
4960	spoolsv.exe
3756	spoolsv.exe
4108	spoolsv.exe
2912	spoolsv.exe
2148	spoolsv.exe
4340	spoolsv.exe
3100	spoolsv.exe
4360	spoolsv.exe
2688	spoolsv.exe
1928	spoolsv.exe
3804	spoolsv.exe
4764	spoolsv.exe
1508	spoolsv.exe
1556	spoolsv.exe
3568	spoolsv.exe
1244	spoolsv.exe
5036	spoolsv.exe
3092	spoolsv.exe
3264	spoolsv.exe
1116	spoolsv.exe
2592	spoolsv.exe
3856	spoolsv.exe
4284	spoolsv.exe
3108	explorer.exe
1312	spoolsv.exe
5152	spoolsv.exe
5276	spoolsv.exe
5616	spoolsv.exe
5660	explorer.exe
5992	spoolsv.exe
6080	spoolsv.exe
5260	spoolsv.exe
5284	explorer.exe
5568	spoolsv.exe
1492	spoolsv.exe
5748	spoolsv.exe
5820	spoolsv.exe
5872	spoolsv.exe
5124	spoolsv.exe
5200	explorer.exe
5460	spoolsv.exe
5476	spoolsv.exe
5544	spoolsv.exe
4068	spoolsv.exe
688	spoolsv.exe
5788	spoolsv.exe
5840	spoolsv.exe
2080	spoolsv.exe
3652	explorer.exe
5256	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 46 IoCs

Processes:

6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 1564 set thread context of 4544	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
PID 4764 set thread context of 472	4764	explorer.exe	explorer.exe
PID 2120 set thread context of 4284	2120	spoolsv.exe	spoolsv.exe
PID 3408 set thread context of 1312	3408	spoolsv.exe	spoolsv.exe
PID 3572 set thread context of 5276	3572	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 5616	2560	spoolsv.exe	spoolsv.exe
PID 848 set thread context of 6080	848	spoolsv.exe	spoolsv.exe
PID 3796 set thread context of 5260	3796	spoolsv.exe	spoolsv.exe
PID 4372 set thread context of 1492	4372	spoolsv.exe	spoolsv.exe
PID 2712 set thread context of 5748	2712	spoolsv.exe	spoolsv.exe
PID 2292 set thread context of 5820	2292	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 5872	1544	spoolsv.exe	spoolsv.exe
PID 4432 set thread context of 5124	4432	spoolsv.exe	spoolsv.exe
PID 4400 set thread context of 5476	4400	spoolsv.exe	spoolsv.exe
PID 4960 set thread context of 5544	4960	spoolsv.exe	spoolsv.exe
PID 3756 set thread context of 4068	3756	spoolsv.exe	spoolsv.exe
PID 4108 set thread context of 688	4108	spoolsv.exe	spoolsv.exe
PID 2912 set thread context of 5788	2912	spoolsv.exe	spoolsv.exe
PID 2148 set thread context of 5840	2148	spoolsv.exe	spoolsv.exe
PID 4340 set thread context of 2080	4340	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 224	3100	spoolsv.exe	spoolsv.exe
PID 4360 set thread context of 5444	4360	spoolsv.exe	spoolsv.exe
PID 2688 set thread context of 5504	2688	spoolsv.exe	spoolsv.exe
PID 1928 set thread context of 4376	1928	spoolsv.exe	spoolsv.exe
PID 3804 set thread context of 5576	3804	spoolsv.exe	spoolsv.exe
PID 4764 set thread context of 2040	4764	spoolsv.exe	spoolsv.exe
PID 1508 set thread context of 1052	1508	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 1428	1556	spoolsv.exe	spoolsv.exe
PID 3568 set thread context of 5404	3568	spoolsv.exe	spoolsv.exe
PID 1244 set thread context of 2544	1244	spoolsv.exe	spoolsv.exe
PID 5036 set thread context of 2484	5036	spoolsv.exe	spoolsv.exe
PID 3092 set thread context of 3184	3092	spoolsv.exe	spoolsv.exe
PID 3264 set thread context of 4112	3264	spoolsv.exe	spoolsv.exe
PID 1116 set thread context of 1820	1116	spoolsv.exe	spoolsv.exe
PID 2592 set thread context of 1924	2592	spoolsv.exe	spoolsv.exe
PID 3856 set thread context of 2232	3856	spoolsv.exe	spoolsv.exe
PID 3108 set thread context of 5924	3108	explorer.exe	explorer.exe
PID 5152 set thread context of 520	5152	spoolsv.exe	spoolsv.exe
PID 5660 set thread context of 5248	5660	explorer.exe	explorer.exe
PID 5992 set thread context of 2352	5992	spoolsv.exe	spoolsv.exe
PID 5284 set thread context of 4104	5284	explorer.exe	explorer.exe
PID 5568 set thread context of 2776	5568	spoolsv.exe	spoolsv.exe
PID 5200 set thread context of 4224	5200	explorer.exe	explorer.exe
PID 5460 set thread context of 4792	5460	spoolsv.exe	spoolsv.exe
PID 5256 set thread context of 5164	5256	spoolsv.exe	spoolsv.exe
PID 3652 set thread context of 3576	3652	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exe6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exeexplorer.exe

pid	process
4544	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
4544	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

472 explorer.exe

pid	process
472	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4544	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
4544	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
4284	spoolsv.exe
4284	spoolsv.exe
1312	spoolsv.exe
1312	spoolsv.exe
5276	spoolsv.exe
5276	spoolsv.exe
5616	spoolsv.exe
5616	spoolsv.exe
6080	spoolsv.exe
6080	spoolsv.exe
5260	spoolsv.exe
5260	spoolsv.exe
1492	spoolsv.exe
1492	spoolsv.exe
5748	spoolsv.exe
5748	spoolsv.exe
5820	spoolsv.exe
5820	spoolsv.exe
5872	spoolsv.exe
5872	spoolsv.exe
5124	spoolsv.exe
5124	spoolsv.exe
5476	spoolsv.exe
5476	spoolsv.exe
5544	spoolsv.exe
5544	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
688	spoolsv.exe
688	spoolsv.exe
5788	spoolsv.exe
5788	spoolsv.exe
5840	spoolsv.exe
5840	spoolsv.exe
2080	spoolsv.exe
2080	spoolsv.exe
224	spoolsv.exe
224	spoolsv.exe
5444	spoolsv.exe
5444	spoolsv.exe
5504	spoolsv.exe
5504	spoolsv.exe
4376	spoolsv.exe
4376	spoolsv.exe
5576	spoolsv.exe
5576	spoolsv.exe
2040	spoolsv.exe
2040	spoolsv.exe
1052	spoolsv.exe
1052	spoolsv.exe
1428	spoolsv.exe
1428	spoolsv.exe
5404	spoolsv.exe
5404	spoolsv.exe
2544	spoolsv.exe
2544	spoolsv.exe
2484	spoolsv.exe
2484	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1564 wrote to memory of 4352	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	splwow64.exe
PID 1564 wrote to memory of 4352	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	splwow64.exe
PID 1564 wrote to memory of 4544	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
PID 1564 wrote to memory of 4544	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
PID 1564 wrote to memory of 4544	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
PID 1564 wrote to memory of 4544	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
PID 1564 wrote to memory of 4544	1564	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
PID 4544 wrote to memory of 4764	4544	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	explorer.exe
PID 4544 wrote to memory of 4764	4544	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	explorer.exe
PID 4544 wrote to memory of 4764	4544	6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe	explorer.exe
PID 4764 wrote to memory of 472	4764	explorer.exe	explorer.exe
PID 4764 wrote to memory of 472	4764	explorer.exe	explorer.exe
PID 4764 wrote to memory of 472	4764	explorer.exe	explorer.exe
PID 4764 wrote to memory of 472	4764	explorer.exe	explorer.exe
PID 4764 wrote to memory of 472	4764	explorer.exe	explorer.exe
PID 472 wrote to memory of 2120	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2120	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2120	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3408	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3408	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3408	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3572	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3572	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3572	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2560	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2560	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2560	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 848	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 848	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 848	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3796	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3796	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3796	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4372	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4372	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4372	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2712	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2712	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2712	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2292	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2292	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2292	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 1544	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 1544	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 1544	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4432	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4432	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4432	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4400	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4400	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4400	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4960	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4960	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4960	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3756	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3756	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 3756	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4108	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4108	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 4108	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2912	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2912	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2912	472	explorer.exe	spoolsv.exe
PID 472 wrote to memory of 2148	472	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a3e26d18d3300e4251f065a6d82bb45_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4764

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2120

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4284

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3108

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3408

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3572

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2560

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5616

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5660

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:848

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3796

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5260

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5284

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4372

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2712

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2292

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1544

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4432

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5124

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5200

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4400

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4960

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3756

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4108

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2912

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2148

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4340

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2080

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3652

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3100

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4360

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2688

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1928

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3804

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4764

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1508

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1556

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3568

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2544

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3580

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5036

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3092

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3264

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1116

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2592

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3856

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2232

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5976

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5152

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:520

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4612

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5992

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2352

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4084

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5568

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2776

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:6116

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:64

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5460

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4792

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5256

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5164

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5860

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5800

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5032

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5112

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:696

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5776

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3172

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4768

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:272

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3256

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4428

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4364

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2340

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4812

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4308

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5700

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
ab82394c813d0addebbe3fbee8438d8b

SHA1
b95eeaab3a905937e989a51fdcd89aa93ec748ed

SHA256
56865397c162b6ea376a1f3bd8f17f9d79f459be19f502b4ec1e9c5f750dff0d

SHA512
f6c6814da7aa5cac8cfd70c2f3f41d637df71ffa1fd61be7fa441f6a36bee03c526a538d41b901977e26b7c23c54f8b85ce9e1d9e2379c7be5970e5c2dfdf237

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
2.2MB

MD5
776d8f2759bbf7e996a6ff1c9d626008

SHA1
7e3a4b582073cd0b25423f19dd6d8df6d41033ea

SHA256
fc093adada911e74fbee23e07126a03725a54887cf1357405870edcd6528cb76

SHA512
b7ce68957f42f32ce3a75f6ad4e9552765375f111ad56ac16c862af9acf001171946fc5cd8bd8f562c20a37ce14081819fb8b09394683fed240d23552f7dc098

Download Submit
memory/64-5754-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-3112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/416-5790-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/520-3764-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/520-3667-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-2904-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-5438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/848-1192-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1052-3170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-3175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1164-5614-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-2262-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1312-2263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-2679-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-1567-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1564-22-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1564-18-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1564-0-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1564-16-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1820-3365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-3375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-2255-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2040-3163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-3160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-3093-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-3278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-978-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2120-2253-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2148-2020-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2232-3557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-3644-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-1566-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2352-3786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-3335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-3327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-3450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-2435-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2560-1191-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2612-5760-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-2247-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2712-1375-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2776-4234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-2019-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3100-2245-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3172-5580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3184-3348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-2264-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3408-979-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3572-2364-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3572-980-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3756-1780-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3796-1373-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3804-2362-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3988-5356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4068-2892-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-4116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-2018-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4224-4531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-2414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-2256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-2244-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4356-5733-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-2246-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4372-1374-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4400-1778-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4432-1568-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4540-5779-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-5587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-68-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4764-73-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4792-4709-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-5626-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-5622-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-1779-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5124-2798-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5124-3000-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5164-4994-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5248-3686-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5260-2600-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5260-2760-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5276-2365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5404-3250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5476-2874-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5504-3132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5544-2882-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5576-3149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5616-2575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5616-2440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5716-5448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5748-2690-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5800-5285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5820-2701-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5836-5293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5840-2934-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5872-2721-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5908-5635-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5924-3567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5956-5611-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6080-2529-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download