pony | a921f9fffa8dab59407ce1419806edf6d174bb7dfbf037216b4477401beabff4

Analysis

max time kernel
131s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
Size

2.2MB
MD5

7ec2444102d3b4c7b024f29d8458e902
SHA1

61b36b2b68b7e79e702683916f2ca6ef2b23e380
SHA256

a921f9fffa8dab59407ce1419806edf6d174bb7dfbf037216b4477401beabff4
SHA512

8610b2c0aca1bbc06ee3d47a46b4e1d1a962eff3c659247d6b03cfaf095eba98c1d2c1f69e2079c3b4b612fe1d529be6fc3f8834ff814dcb92a739c0fc1987e7
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZm:0UzeyQMS4DqodCnoe+iitjWwwi

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

pid	process
2056	explorer.exe
4748	explorer.exe
1304	spoolsv.exe
908	spoolsv.exe
3360	spoolsv.exe
4876	spoolsv.exe
3964	spoolsv.exe
3740	spoolsv.exe
2452	spoolsv.exe
112	spoolsv.exe
4752	spoolsv.exe
4704	spoolsv.exe
380	spoolsv.exe
4840	spoolsv.exe
2288	spoolsv.exe
1580	spoolsv.exe
3312	spoolsv.exe
1988	spoolsv.exe
1140	spoolsv.exe
1268	spoolsv.exe
2460	spoolsv.exe
3216	spoolsv.exe
1484	spoolsv.exe
3732	spoolsv.exe
2628	spoolsv.exe
2340	spoolsv.exe
3348	spoolsv.exe
1404	spoolsv.exe
2560	spoolsv.exe
3748	spoolsv.exe
1532	spoolsv.exe
2888	spoolsv.exe
1292	spoolsv.exe
1176	spoolsv.exe
4324	spoolsv.exe
1288	explorer.exe
2172	spoolsv.exe
3820	spoolsv.exe
1228	spoolsv.exe
3704	spoolsv.exe
2668	explorer.exe
3860	spoolsv.exe
3228	spoolsv.exe
2664	spoolsv.exe
1572	spoolsv.exe
2552	explorer.exe
1276	spoolsv.exe
548	spoolsv.exe
2420	spoolsv.exe
2276	spoolsv.exe
3676	spoolsv.exe
2444	explorer.exe
4016	spoolsv.exe
4224	spoolsv.exe
4472	spoolsv.exe
2120	spoolsv.exe
4064	spoolsv.exe
1816	spoolsv.exe
2772	spoolsv.exe
4072	spoolsv.exe
2100	spoolsv.exe
3252	spoolsv.exe
880	explorer.exe
4588	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 42 IoCs

Processes:

7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2164 set thread context of 5060	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
PID 2056 set thread context of 4748	2056	explorer.exe	explorer.exe
PID 1304 set thread context of 4324	1304	spoolsv.exe	spoolsv.exe
PID 908 set thread context of 2172	908	spoolsv.exe	spoolsv.exe
PID 3360 set thread context of 1228	3360	spoolsv.exe	spoolsv.exe
PID 4876 set thread context of 3704	4876	spoolsv.exe	spoolsv.exe
PID 3964 set thread context of 3860	3964	spoolsv.exe	spoolsv.exe
PID 3740 set thread context of 2664	3740	spoolsv.exe	spoolsv.exe
PID 2452 set thread context of 1572	2452	spoolsv.exe	spoolsv.exe
PID 112 set thread context of 1276	112	spoolsv.exe	spoolsv.exe
PID 4752 set thread context of 2420	4752	spoolsv.exe	spoolsv.exe
PID 4704 set thread context of 2276	4704	spoolsv.exe	spoolsv.exe
PID 380 set thread context of 3676	380	spoolsv.exe	spoolsv.exe
PID 4840 set thread context of 4016	4840	spoolsv.exe	spoolsv.exe
PID 2288 set thread context of 4224	2288	spoolsv.exe	spoolsv.exe
PID 1580 set thread context of 4472	1580	spoolsv.exe	spoolsv.exe
PID 3312 set thread context of 2120	3312	spoolsv.exe	spoolsv.exe
PID 1988 set thread context of 1816	1988	spoolsv.exe	spoolsv.exe
PID 1140 set thread context of 2772	1140	spoolsv.exe	spoolsv.exe
PID 1268 set thread context of 4072	1268	spoolsv.exe	spoolsv.exe
PID 2460 set thread context of 2100	2460	spoolsv.exe	spoolsv.exe
PID 3216 set thread context of 3252	3216	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 4588	1484	spoolsv.exe	spoolsv.exe
PID 3732 set thread context of 4000	3732	spoolsv.exe	spoolsv.exe
PID 2628 set thread context of 2116	2628	spoolsv.exe	spoolsv.exe
PID 2340 set thread context of 2064	2340	spoolsv.exe	spoolsv.exe
PID 3348 set thread context of 4948	3348	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 1136	1404	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 5012	2560	spoolsv.exe	spoolsv.exe
PID 3748 set thread context of 656	3748	spoolsv.exe	spoolsv.exe
PID 1532 set thread context of 4848	1532	spoolsv.exe	spoolsv.exe
PID 2888 set thread context of 1836	2888	spoolsv.exe	spoolsv.exe
PID 1292 set thread context of 1016	1292	spoolsv.exe	spoolsv.exe
PID 1176 set thread context of 1928	1176	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 5100	1288	explorer.exe	explorer.exe
PID 3820 set thread context of 3636	3820	spoolsv.exe	spoolsv.exe
PID 2668 set thread context of 1424	2668	explorer.exe	explorer.exe
PID 3228 set thread context of 4568	3228	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 3264	2552	explorer.exe	explorer.exe
PID 548 set thread context of 2416	548	spoolsv.exe	spoolsv.exe
PID 2444 set thread context of 4904	2444	explorer.exe	explorer.exe
PID 4064 set thread context of 3996	4064	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exeexplorer.exe

pid	process
5060	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
5060	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4748 explorer.exe

pid	process
4748	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
5060	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
5060	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4748	explorer.exe
4324	spoolsv.exe
4324	spoolsv.exe
2172	spoolsv.exe
2172	spoolsv.exe
1228	spoolsv.exe
1228	spoolsv.exe
3704	spoolsv.exe
3704	spoolsv.exe
3860	spoolsv.exe
3860	spoolsv.exe
2664	spoolsv.exe
2664	spoolsv.exe
1572	spoolsv.exe
1572	spoolsv.exe
1276	spoolsv.exe
1276	spoolsv.exe
2420	spoolsv.exe
2420	spoolsv.exe
2276	spoolsv.exe
2276	spoolsv.exe
3676	spoolsv.exe
3676	spoolsv.exe
4016	spoolsv.exe
4016	spoolsv.exe
4224	spoolsv.exe
4224	spoolsv.exe
4472	spoolsv.exe
4472	spoolsv.exe
2120	spoolsv.exe
2120	spoolsv.exe
1816	spoolsv.exe
1816	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe
4072	spoolsv.exe
4072	spoolsv.exe
2100	spoolsv.exe
2100	spoolsv.exe
3252	spoolsv.exe
3252	spoolsv.exe
4588	spoolsv.exe
4588	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
2116	spoolsv.exe
2116	spoolsv.exe
2064	spoolsv.exe
2064	spoolsv.exe
4948	spoolsv.exe
4948	spoolsv.exe
1136	spoolsv.exe
1136	spoolsv.exe
5012	spoolsv.exe
5012	spoolsv.exe
656	spoolsv.exe
656	spoolsv.exe
4848	spoolsv.exe
4848	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2164 wrote to memory of 3672	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	splwow64.exe
PID 2164 wrote to memory of 3672	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	splwow64.exe
PID 2164 wrote to memory of 5060	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
PID 2164 wrote to memory of 5060	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
PID 2164 wrote to memory of 5060	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
PID 2164 wrote to memory of 5060	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
PID 2164 wrote to memory of 5060	2164	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
PID 5060 wrote to memory of 2056	5060	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	explorer.exe
PID 5060 wrote to memory of 2056	5060	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	explorer.exe
PID 5060 wrote to memory of 2056	5060	7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe	explorer.exe
PID 2056 wrote to memory of 4748	2056	explorer.exe	explorer.exe
PID 2056 wrote to memory of 4748	2056	explorer.exe	explorer.exe
PID 2056 wrote to memory of 4748	2056	explorer.exe	explorer.exe
PID 2056 wrote to memory of 4748	2056	explorer.exe	explorer.exe
PID 2056 wrote to memory of 4748	2056	explorer.exe	explorer.exe
PID 4748 wrote to memory of 1304	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1304	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1304	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 908	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 908	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 908	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3360	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3360	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3360	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4876	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4876	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4876	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3964	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3964	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3964	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3740	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3740	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3740	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 2452	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 2452	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 2452	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 112	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 112	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 112	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4752	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4752	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4752	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4704	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4704	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4704	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 380	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 380	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 380	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4840	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4840	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 4840	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 2288	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 2288	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 2288	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1580	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1580	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1580	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3312	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3312	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 3312	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1988	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1988	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1988	4748	explorer.exe	spoolsv.exe
PID 4748 wrote to memory of 1140	4748	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ec2444102d3b4c7b024f29d8458e902_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2056

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1304

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4324

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1288

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:908

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3360

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4876

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3704

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2668

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3964

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3740

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2452

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2552

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:112

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4752

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4704

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:380

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3676

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2444

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4840

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2288

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1580

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3312

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1140

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1268

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2460

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3216

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3252

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:880

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1484

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3732

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2628

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2340

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3348

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1404

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2560

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5012

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5048

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3748

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1532

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2888

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1292

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1076

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1176

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:1224

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3820

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3636

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1180

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3228

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4568

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2508

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:548

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2416

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4064

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3996

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2520

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2872

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3340

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3320

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4608

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1860

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4888

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2388

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2000

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:852

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3808

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4476

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:744

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:872

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2496

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
ac8fb35dbcc450020d8818d99967efd3

SHA1
7be911155215562d8bda0e4ed35fbadb40279e72

SHA256
25e0026d558599356f86f931757bba1a5bb8c231f59ec0b96f56988fbc5cea1a

SHA512
d7b8d6525b16fc579b96a991bc1dc58d0d0a1027d6e4ddf7b9f90d2c769646d3cdcb62a6146cb43ed734c573a50ac29be640c60b6975c65d945f377ca2c649ec

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
992260373bd78d1cf8ec5948c3a20ef6

SHA1
db4cbf4203c6a3ef15b22091f37fa2e363f72d04

SHA256
578f9672744ad7bc75f803af734616b60a6ea219a7180b188c3075c8568903ba

SHA512
7636f73cd3688f73a02635f2dc6098a5c3d26179f2dc5d24fb07575853942186d2d14987b175c691ec18b34e227b41d4d56c289692582692603c659778c50e5d

Download Submit
memory/112-1505-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/380-1715-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/656-3370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/656-3367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/908-2245-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/908-1084-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/936-5654-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1136-3194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1140-2141-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1228-2335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1268-2142-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1276-2608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1304-2228-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1304-823-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1424-4005-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-4002-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-2233-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1572-2598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-2771-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-1916-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1816-2920-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-3865-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-3737-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-2140-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1992-5452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-5444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-5621-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-5846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2056-88-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2056-93-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2056-5883-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-3167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-2840-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-47-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2164-0-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2164-43-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2164-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2172-2240-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2172-2243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-5769-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-2730-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-1915-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2340-2334-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2416-4619-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-4715-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-2699-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-1504-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2460-2231-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2496-5874-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-5205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2628-2333-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2652-5430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-2500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-2930-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-5631-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-5312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-5213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-5464-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-2232-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3252-3259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-3045-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-1917-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3320-5412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3360-1085-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3360-2337-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3636-3932-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-3038-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-2800-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3704-2406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3704-2580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3732-2242-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3740-1298-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3860-2413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3860-2416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3964-1297-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3996-5099-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-5020-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-3103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-2808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4068-5670-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-2940-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4224-2820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-2234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-2386-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-5422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-2829-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-4304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-4211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-3063-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-1714-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4748-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-817-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-1506-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4840-1716-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4848-3378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-5783-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-1086-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4904-4935-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-4942-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-3186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-3359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-82-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-3832-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download