pony | b46350b53f45878bccd88a9819a46ad11a2adf6ef65beec709a96ad8460d07bc

Analysis

max time kernel
76s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
Size

2.6MB
MD5

7b5e316957a4e87cbf67dc7c515990e4
SHA1

1e16f827500cc86e79230b1c16de9d6655d9b0e1
SHA256

b46350b53f45878bccd88a9819a46ad11a2adf6ef65beec709a96ad8460d07bc
SHA512

4f24193de02964df999862c77d3c5816644a2ac4fb89f1e6cb2d341f81e163aa41409337644b71d5e6fa9075d3082219dc1fe9c093c24f9c2bfb5ac4a0c33372
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl/:86SIROiFJiwp0xlrl/

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1472	explorer.exe
1072	explorer.exe
1436	explorer.exe
1088	spoolsv.exe
1344	spoolsv.exe
952	spoolsv.exe
324	spoolsv.exe
2312	spoolsv.exe
1216	spoolsv.exe
1836	spoolsv.exe
784	spoolsv.exe
2916	spoolsv.exe
2324	spoolsv.exe
2784	spoolsv.exe
2496	spoolsv.exe
2044	spoolsv.exe
2636	spoolsv.exe
2440	spoolsv.exe
2408	spoolsv.exe
520	spoolsv.exe
2740	spoolsv.exe
1980	spoolsv.exe
1492	spoolsv.exe
2136	spoolsv.exe
1712	spoolsv.exe
436	spoolsv.exe
944	spoolsv.exe
2852	spoolsv.exe
2788	spoolsv.exe
2056	spoolsv.exe
1556	spoolsv.exe
2668	spoolsv.exe
2792	spoolsv.exe
700	spoolsv.exe
2508	spoolsv.exe
568	spoolsv.exe
2348	spoolsv.exe
2340	spoolsv.exe
2464	spoolsv.exe
3048	spoolsv.exe
308	spoolsv.exe
2312	spoolsv.exe
1988	spoolsv.exe
1640	spoolsv.exe
2424	spoolsv.exe
1652	spoolsv.exe
1632	spoolsv.exe
2480	spoolsv.exe
572	spoolsv.exe
2720	spoolsv.exe
2628	spoolsv.exe
1912	spoolsv.exe
2680	spoolsv.exe
1104	spoolsv.exe
2196	spoolsv.exe
692	spoolsv.exe
1836	spoolsv.exe
476	spoolsv.exe
1720	spoolsv.exe
2488	spoolsv.exe
980	spoolsv.exe
2480	spoolsv.exe
2712	spoolsv.exe
1656	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
1436	explorer.exe
1436	explorer.exe
1088	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
952	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2312	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
1836	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2916	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2784	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2044	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2440	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
520	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
1980	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2136	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
436	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2852	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2056	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2668	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
700	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
568	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2340	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
3048	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
2312	spoolsv.exe
1436	explorer.exe
1436	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2860 set thread context of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1516 set thread context of 1696	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1472 set thread context of 1072	1472	explorer.exe	explorer.exe
PID 1072 set thread context of 1436	1072	explorer.exe	explorer.exe
PID 1088 set thread context of 1344	1088	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 324	952	spoolsv.exe	spoolsv.exe
PID 2312 set thread context of 1216	2312	spoolsv.exe	spoolsv.exe
PID 1836 set thread context of 784	1836	spoolsv.exe	spoolsv.exe
PID 2916 set thread context of 2324	2916	spoolsv.exe	spoolsv.exe
PID 2784 set thread context of 2496	2784	spoolsv.exe	spoolsv.exe
PID 2044 set thread context of 2636	2044	spoolsv.exe	spoolsv.exe
PID 2440 set thread context of 2408	2440	spoolsv.exe	spoolsv.exe
PID 520 set thread context of 2740	520	spoolsv.exe	spoolsv.exe
PID 1980 set thread context of 1492	1980	spoolsv.exe	spoolsv.exe
PID 2136 set thread context of 1712	2136	spoolsv.exe	spoolsv.exe
PID 436 set thread context of 944	436	spoolsv.exe	spoolsv.exe
PID 2852 set thread context of 2788	2852	spoolsv.exe	spoolsv.exe
PID 2056 set thread context of 1556	2056	spoolsv.exe	spoolsv.exe
PID 2668 set thread context of 2792	2668	spoolsv.exe	spoolsv.exe
PID 700 set thread context of 2508	700	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 2348	568	spoolsv.exe	spoolsv.exe
PID 2340 set thread context of 2464	2340	spoolsv.exe	spoolsv.exe
PID 3048 set thread context of 308	3048	spoolsv.exe	spoolsv.exe
PID 2312 set thread context of 1988	2312	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 2424	1640	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 1632	1652	spoolsv.exe	spoolsv.exe
PID 2480 set thread context of 572	2480	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 2628	2720	spoolsv.exe	spoolsv.exe
PID 1912 set thread context of 2680	1912	spoolsv.exe	spoolsv.exe
PID 1104 set thread context of 2196	1104	spoolsv.exe	spoolsv.exe
PID 692 set thread context of 1836	692	spoolsv.exe	spoolsv.exe
PID 476 set thread context of 1720	476	spoolsv.exe	spoolsv.exe
PID 2488 set thread context of 980	2488	spoolsv.exe	spoolsv.exe
PID 2480 set thread context of 2712	2480	spoolsv.exe	spoolsv.exe
PID 1656 set thread context of 2080	1656	spoolsv.exe	spoolsv.exe
PID 940 set thread context of 912	940	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 2460	1756	spoolsv.exe	spoolsv.exe
PID 2780 set thread context of 1144	2780	spoolsv.exe	spoolsv.exe
PID 2844 set thread context of 2044	2844	spoolsv.exe	spoolsv.exe
PID 1476 set thread context of 2280	1476	spoolsv.exe	spoolsv.exe
PID 1800 set thread context of 956	1800	spoolsv.exe	spoolsv.exe
PID 584 set thread context of 1104	584	spoolsv.exe	spoolsv.exe
PID 364 set thread context of 3000	364	spoolsv.exe	spoolsv.exe
PID 476 set thread context of 2224	476	spoolsv.exe	spoolsv.exe
PID 2840 set thread context of 1832	2840	spoolsv.exe	spoolsv.exe
PID 2868 set thread context of 1156	2868	spoolsv.exe	spoolsv.exe
PID 948 set thread context of 1980	948	spoolsv.exe	spoolsv.exe
PID 2548 set thread context of 3048	2548	spoolsv.exe	spoolsv.exe
PID 2008 set thread context of 2772	2008	spoolsv.exe	spoolsv.exe
PID 1728 set thread context of 1576	1728	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 1188	2552	spoolsv.exe	spoolsv.exe
PID 2404 set thread context of 1824	2404	spoolsv.exe	spoolsv.exe
PID 948 set thread context of 1680	948	spoolsv.exe	spoolsv.exe
PID 3040 set thread context of 904	3040	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 2688	2560	spoolsv.exe	spoolsv.exe
PID 940 set thread context of 2076	940	spoolsv.exe	spoolsv.exe
PID 2128 set thread context of 2896	2128	spoolsv.exe	spoolsv.exe
PID 2500 set thread context of 868	2500	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 1984	1028	spoolsv.exe	spoolsv.exe
PID 3032 set thread context of 1644	3032	spoolsv.exe	spoolsv.exe
PID 2432 set thread context of 984	2432	spoolsv.exe	spoolsv.exe
PID 908 set thread context of 2008	908	spoolsv.exe	spoolsv.exe
PID 2128 set thread context of 1132	2128	spoolsv.exe	spoolsv.exe
PID 2820 set thread context of 2668	2820	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exe7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exeexplorer.exe

pid	process
1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1436 explorer.exe

pid	process
1436	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
1472	explorer.exe
1436	explorer.exe
1436	explorer.exe
1088	spoolsv.exe
1436	explorer.exe
1436	explorer.exe
952	spoolsv.exe
2312	spoolsv.exe
1836	spoolsv.exe
2916	spoolsv.exe
2784	spoolsv.exe
2044	spoolsv.exe
2440	spoolsv.exe
520	spoolsv.exe
1980	spoolsv.exe
2136	spoolsv.exe
436	spoolsv.exe
2852	spoolsv.exe
2056	spoolsv.exe
2668	spoolsv.exe
700	spoolsv.exe
568	spoolsv.exe
2340	spoolsv.exe
3048	spoolsv.exe
2312	spoolsv.exe
1640	spoolsv.exe
1652	spoolsv.exe
2480	spoolsv.exe
2720	spoolsv.exe
1912	spoolsv.exe
1104	spoolsv.exe
692	spoolsv.exe
476	spoolsv.exe
2488	spoolsv.exe
2480	spoolsv.exe
1656	spoolsv.exe
940	spoolsv.exe
1756	spoolsv.exe
2780	spoolsv.exe
2844	spoolsv.exe
1476	spoolsv.exe
1800	spoolsv.exe
584	spoolsv.exe
364	spoolsv.exe
476	spoolsv.exe
2840	spoolsv.exe
2868	spoolsv.exe
948	spoolsv.exe
2548	spoolsv.exe
2008	spoolsv.exe
1728	spoolsv.exe
2552	spoolsv.exe
2404	spoolsv.exe
948	spoolsv.exe
3040	spoolsv.exe
2560	spoolsv.exe
940	spoolsv.exe
2128	spoolsv.exe
2500	spoolsv.exe
1028	spoolsv.exe
3032	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 2860 wrote to memory of 1516	2860	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1516 wrote to memory of 1960	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	splwow64.exe
PID 1516 wrote to memory of 1960	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	splwow64.exe
PID 1516 wrote to memory of 1960	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	splwow64.exe
PID 1516 wrote to memory of 1960	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	splwow64.exe
PID 1516 wrote to memory of 1696	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1516 wrote to memory of 1696	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1516 wrote to memory of 1696	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1516 wrote to memory of 1696	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1516 wrote to memory of 1696	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1516 wrote to memory of 1696	1516	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
PID 1696 wrote to memory of 1472	1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	explorer.exe
PID 1696 wrote to memory of 1472	1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	explorer.exe
PID 1696 wrote to memory of 1472	1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	explorer.exe
PID 1696 wrote to memory of 1472	1696	7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1472 wrote to memory of 1072	1472	explorer.exe	explorer.exe
PID 1072 wrote to memory of 1436	1072	explorer.exe	explorer.exe
PID 1072 wrote to memory of 1436	1072	explorer.exe	explorer.exe
PID 1072 wrote to memory of 1436	1072	explorer.exe	explorer.exe
PID 1072 wrote to memory of 1436	1072	explorer.exe	explorer.exe
PID 1072 wrote to memory of 1436	1072	explorer.exe	explorer.exe
PID 1072 wrote to memory of 1436	1072	explorer.exe	explorer.exe
PID 1436 wrote to memory of 1088	1436	explorer.exe	spoolsv.exe
PID 1436 wrote to memory of 1088	1436	explorer.exe	spoolsv.exe
PID 1436 wrote to memory of 1088	1436	explorer.exe	spoolsv.exe
PID 1436 wrote to memory of 1088	1436	explorer.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe
PID 1088 wrote to memory of 1344	1088	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7b5e316957a4e87cbf67dc7c515990e4_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1472
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1344
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:324
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3744
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:3816
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:3980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1216
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:2104
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:3192
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:3172
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2324
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2496
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2636
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2740
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1492
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2788
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3592
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2508
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2348
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:2272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2464
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:308
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1632
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:572
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2196
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1720
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:980
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:912
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2460
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4664
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1144
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3676
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3000
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2224
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1576
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4216
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1188
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1680
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:2804
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:2720
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:4952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1984
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2432
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:984
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:3428
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:1484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1200
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1768
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1224
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:1580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:968
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1748
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:240
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3172
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3416
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3492
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3768
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3708
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3676
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3880
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3816
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3352
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3524
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3716
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3224
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3320
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:764
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD

Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
\Windows\system\explorer.exe

Filesize
2.6MB

MD5
3cceb6c4dd59513d89ce0a9a9fddea85

SHA1
7141cc425da2850dea0bc4e9512ffc0bb0cd09cf

SHA256
d1b1e7ff3299954a523dd3048c93956850dfb61e13a1cac8b5390234257573e7

SHA512
6d27b487b697e3064bff65040958784066cdcae6eabcbee6e8e1f842237fba3bb44397e375ce31b98d8b4ec2f663580a0d6ac9432b951b8f359431695e571ab1

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
31c5baece65c338b27bf2a1009764ff4

SHA1
3bd487c00bae2d740e5482c36fb89f7f46670487

SHA256
e3830be20537d4338df8108cb5648086c67a282a3c5d8a64a4b516da36fcba4e

SHA512
6020d2b64c57995a2b888b04222cd08b247b9229b53e7c9bec7bcc2a326ea9628a3d896c27a08700893b795116a150ababe7ab899a8633a6beee3ecc43796055

Download Submit
memory/1072-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1072-77-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1072-56-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1072-58-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1344-105-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1472-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1472-52-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1516-34-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1516-24-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1516-3-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1516-4-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1516-5-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1516-6-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1516-7-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1580-3735-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1696-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-3521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-3530-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-3586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2804-3916-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-2-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/3108-3424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-3555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-3448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-3568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3592-3483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-3884-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-3429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-3406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-3608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-3627-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-3683-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-3833-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-3891-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-3774-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-3966-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-3803-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-3752-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download