pony | 995a09cb8c096619aa04052f24b33f5af652fc17324ebbae31b9e914d4c0d6cf

Analysis

max time kernel
129s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
Size

2.2MB
MD5

6f0247bae5f3fc2b6ec644ef5a5a2907
SHA1

c6e2cc6e2aa0560848c7a476a866dd25161cae2a
SHA256

995a09cb8c096619aa04052f24b33f5af652fc17324ebbae31b9e914d4c0d6cf
SHA512

14dbe2f2a5e9aac2f353b211ab05fcb032b701a5d4c90c72d06b2555045c9fb6ec51e1942b2c5bb2be32af561a046f430662b0f349d3f56673285730e8eaa5f8
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZG:0UzeyQMS4DqodCnoe+iitjWwwy

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
264	explorer.exe
1440	explorer.exe
2200	spoolsv.exe
932	spoolsv.exe
3848	spoolsv.exe
2264	spoolsv.exe
3468	spoolsv.exe
1128	spoolsv.exe
456	spoolsv.exe
8	spoolsv.exe
1424	spoolsv.exe
3480	spoolsv.exe
4952	spoolsv.exe
832	spoolsv.exe
1484	spoolsv.exe
4588	spoolsv.exe
3064	spoolsv.exe
4568	spoolsv.exe
1260	spoolsv.exe
3904	spoolsv.exe
4656	spoolsv.exe
3168	spoolsv.exe
3448	spoolsv.exe
3688	spoolsv.exe
4396	spoolsv.exe
3000	spoolsv.exe
4988	spoolsv.exe
960	spoolsv.exe
4424	spoolsv.exe
3044	spoolsv.exe
4204	spoolsv.exe
4792	spoolsv.exe
2988	spoolsv.exe
4372	spoolsv.exe
1408	explorer.exe
5064	spoolsv.exe
3732	spoolsv.exe
964	spoolsv.exe
5028	spoolsv.exe
2624	spoolsv.exe
1396	explorer.exe
1044	spoolsv.exe
4812	spoolsv.exe
4592	spoolsv.exe
2052	spoolsv.exe
3132	spoolsv.exe
4956	spoolsv.exe
4248	spoolsv.exe
828	spoolsv.exe
4440	explorer.exe
936	spoolsv.exe
3568	spoolsv.exe
2012	spoolsv.exe
4684	spoolsv.exe
4984	explorer.exe
3380	spoolsv.exe
1504	spoolsv.exe
3140	spoolsv.exe
4632	spoolsv.exe
4296	explorer.exe
2004	spoolsv.exe
3596	spoolsv.exe
3500	spoolsv.exe
4892	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 42 IoCs

Processes:

6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 1412 set thread context of 1084	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
PID 264 set thread context of 1440	264	explorer.exe	explorer.exe
PID 2200 set thread context of 4372	2200	spoolsv.exe	spoolsv.exe
PID 932 set thread context of 5064	932	spoolsv.exe	spoolsv.exe
PID 3848 set thread context of 3732	3848	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 964	2264	spoolsv.exe	spoolsv.exe
PID 3468 set thread context of 5028	3468	spoolsv.exe	spoolsv.exe
PID 1128 set thread context of 2624	1128	spoolsv.exe	spoolsv.exe
PID 456 set thread context of 4812	456	spoolsv.exe	spoolsv.exe
PID 8 set thread context of 4592	8	spoolsv.exe	spoolsv.exe
PID 1424 set thread context of 2052	1424	spoolsv.exe	spoolsv.exe
PID 3480 set thread context of 3132	3480	spoolsv.exe	spoolsv.exe
PID 4952 set thread context of 4956	4952	spoolsv.exe	spoolsv.exe
PID 832 set thread context of 828	832	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 936	1484	spoolsv.exe	spoolsv.exe
PID 4588 set thread context of 3568	4588	spoolsv.exe	spoolsv.exe
PID 3064 set thread context of 4684	3064	spoolsv.exe	spoolsv.exe
PID 4568 set thread context of 3380	4568	spoolsv.exe	spoolsv.exe
PID 1260 set thread context of 1504	1260	spoolsv.exe	spoolsv.exe
PID 3904 set thread context of 4632	3904	spoolsv.exe	spoolsv.exe
PID 4656 set thread context of 2004	4656	spoolsv.exe	spoolsv.exe
PID 3168 set thread context of 3500	3168	spoolsv.exe	spoolsv.exe
PID 3448 set thread context of 4892	3448	spoolsv.exe	spoolsv.exe
PID 3688 set thread context of 1148	3688	spoolsv.exe	spoolsv.exe
PID 4396 set thread context of 4308	4396	spoolsv.exe	spoolsv.exe
PID 3000 set thread context of 2580	3000	spoolsv.exe	spoolsv.exe
PID 4988 set thread context of 2636	4988	spoolsv.exe	spoolsv.exe
PID 960 set thread context of 2144	960	spoolsv.exe	spoolsv.exe
PID 4424 set thread context of 556	4424	spoolsv.exe	spoolsv.exe
PID 3044 set thread context of 1468	3044	spoolsv.exe	spoolsv.exe
PID 4204 set thread context of 4284	4204	spoolsv.exe	spoolsv.exe
PID 4792 set thread context of 3724	4792	spoolsv.exe	spoolsv.exe
PID 1408 set thread context of 4072	1408	explorer.exe	explorer.exe
PID 2988 set thread context of 2800	2988	spoolsv.exe	spoolsv.exe
PID 1044 set thread context of 3840	1044	spoolsv.exe	spoolsv.exe
PID 1396 set thread context of 4680	1396	explorer.exe	explorer.exe
PID 4248 set thread context of 3148	4248	spoolsv.exe	spoolsv.exe
PID 4440 set thread context of 4384	4440	explorer.exe	explorer.exe
PID 2012 set thread context of 3376	2012	spoolsv.exe	spoolsv.exe
PID 4984 set thread context of 4456	4984	explorer.exe	explorer.exe
PID 3140 set thread context of 5084	3140	spoolsv.exe	spoolsv.exe
PID 4296 set thread context of 672	4296	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exe6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exeexplorer.exe

pid	process
1084	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
1084	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1440 explorer.exe

pid	process
1440	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1084	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
1084	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
4372	spoolsv.exe
4372	spoolsv.exe
5064	spoolsv.exe
5064	spoolsv.exe
3732	spoolsv.exe
3732	spoolsv.exe
964	spoolsv.exe
964	spoolsv.exe
5028	spoolsv.exe
5028	spoolsv.exe
2624	spoolsv.exe
2624	spoolsv.exe
4812	spoolsv.exe
4812	spoolsv.exe
4592	spoolsv.exe
4592	spoolsv.exe
2052	spoolsv.exe
2052	spoolsv.exe
3132	spoolsv.exe
3132	spoolsv.exe
4956	spoolsv.exe
4956	spoolsv.exe
828	spoolsv.exe
828	spoolsv.exe
936	spoolsv.exe
936	spoolsv.exe
3568	spoolsv.exe
3568	spoolsv.exe
4684	spoolsv.exe
4684	spoolsv.exe
3380	spoolsv.exe
3380	spoolsv.exe
1504	spoolsv.exe
1504	spoolsv.exe
4632	spoolsv.exe
4632	spoolsv.exe
2004	spoolsv.exe
2004	spoolsv.exe
3500	spoolsv.exe
3500	spoolsv.exe
4892	spoolsv.exe
4892	spoolsv.exe
1148	spoolsv.exe
1148	spoolsv.exe
4308	spoolsv.exe
4308	spoolsv.exe
2580	spoolsv.exe
2580	spoolsv.exe
2636	spoolsv.exe
2636	spoolsv.exe
2144	spoolsv.exe
2144	spoolsv.exe
556	spoolsv.exe
556	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
4284	spoolsv.exe
4284	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1412 wrote to memory of 1972	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	splwow64.exe
PID 1412 wrote to memory of 1972	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	splwow64.exe
PID 1412 wrote to memory of 1084	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
PID 1412 wrote to memory of 1084	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
PID 1412 wrote to memory of 1084	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
PID 1412 wrote to memory of 1084	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
PID 1412 wrote to memory of 1084	1412	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
PID 1084 wrote to memory of 264	1084	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	explorer.exe
PID 1084 wrote to memory of 264	1084	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	explorer.exe
PID 1084 wrote to memory of 264	1084	6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe	explorer.exe
PID 264 wrote to memory of 1440	264	explorer.exe	explorer.exe
PID 264 wrote to memory of 1440	264	explorer.exe	explorer.exe
PID 264 wrote to memory of 1440	264	explorer.exe	explorer.exe
PID 264 wrote to memory of 1440	264	explorer.exe	explorer.exe
PID 264 wrote to memory of 1440	264	explorer.exe	explorer.exe
PID 1440 wrote to memory of 2200	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 2200	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 2200	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 932	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 932	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 932	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3848	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3848	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3848	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 2264	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 2264	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 2264	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3468	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3468	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3468	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1128	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1128	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1128	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 456	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 456	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 456	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 8	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 8	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 8	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1424	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1424	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1424	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3480	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3480	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3480	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4952	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4952	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4952	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 832	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 832	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 832	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1484	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1484	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1484	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4588	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4588	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4588	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3064	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3064	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 3064	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4568	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4568	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 4568	1440	explorer.exe	spoolsv.exe
PID 1440 wrote to memory of 1260	1440	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f0247bae5f3fc2b6ec644ef5a5a2907_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:264

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2200

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4372

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1408

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:932

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3848

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2264

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3468

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1128

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2624

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1396

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:456

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:8

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1424

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3480

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:832

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:828

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4440

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1484

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4588

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3064

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4684

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4984

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4568

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1260

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3904

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4632

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4296

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4656

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3168

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3448

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4892

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4948

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3688

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4396

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3000

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2580

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2152

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:6052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:960

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4424

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3044

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4204

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4792

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3724

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5000

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2800

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1688

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1044

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3840

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4788

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4248

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3148

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2012

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3376

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3140

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5084

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3596

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4696

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5884

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2280

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4232

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1696

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2368

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3584

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2804

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5016

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:540

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2944

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2008

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3248

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1208

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5572

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
763adc9a5b027a90fc27ae1e6a571110

SHA1
b09892a87141a4aa0e86f1ef5857510c2a945aae

SHA256
349dcf94d942e9a1f9ec42a1cb0962d0b57015c81b469dd0fdcc08054f03851d

SHA512
89e822883251201c3add7752163e8c49fa1afebe2554364a7c25fe8471ddedd83e40e41b1ee55eedd53956053151d94f4df26ee5af6e65e0b66953439a0fc0c4

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
adc30f0af8dce68ba633281b5b988c68

SHA1
ad408a359b351c1a2499ed523124a2736c6edb63

SHA256
445748ee74f5e2bd12910af6da906ed31e5f6e619dca6a4a9ca4bb5497521fba

SHA512
2adae19981159ec77467c367a16408fd07f7a669ab4a4396c9423ff2d17ea9e83ee4c04440903ecc0c2a5c4c8db4070397b07b7110c52e1c6383a78af463b09c

Download Submit
memory/8-1435-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/264-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/264-89-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/456-1260-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/556-3212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-4653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-2480-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-2563-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/832-1596-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/932-1116-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/932-2109-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/936-2487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/964-2130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-77-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1084-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-1259-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1148-2950-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-1962-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1412-0-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1412-46-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1412-43-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1412-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1424-1436-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1440-929-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-1597-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1504-2663-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2052-2350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-3202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-930-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2200-2094-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2264-1118-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2280-5319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-5555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-3276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-3097-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-2451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-3121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-1782-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3068-5342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-2360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3148-4404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3148-4289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-2098-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3376-4489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-4622-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-2632-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-2628-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-2108-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3468-1258-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3480-1437-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3500-2885-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-2496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-2120-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3724-3460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3732-2117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-4140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-1117-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3848-2121-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3904-1963-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3980-5538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-4777-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-4926-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-3766-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-3231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-2099-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-2208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-4297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-4500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-1783-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4588-1781-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4592-2340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-2924-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-2778-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4656-2097-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4680-4148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-2622-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-2329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-2327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-3069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-2942-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-1595-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4956-2372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-2106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-4643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5228-4873-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5284-5356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5348-5364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5472-5617-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5504-5374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5572-5607-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5572-5724-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5668-5398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5744-5408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5844-5414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5884-5154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5884-5016-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5916-5423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5916-5427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6052-5310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download