pony | 7b720ccf4119add65c056b698c8cd2a1c0d9c421816cbcc39ba575f8c4001cb5

Analysis

max time kernel
145s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
Size

2.2MB
MD5

04a70f6fa253458940c857253aacbb84
SHA1

c8d72aa387ce2b05a6a1768c01c975a47c237931
SHA256

7b720ccf4119add65c056b698c8cd2a1c0d9c421816cbcc39ba575f8c4001cb5
SHA512

bfe344074a9a6c220bced8a8e2f3e6473b47f92d156ef97a7497de325eaed0c5eb9ca24dfe5ac2685490135a57e427367ae221bc44f285d0f9a710c7435f75de
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ/:0UzeyQMS4DqodCnoe+iitjWww7

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

pid	process
1520	explorer.exe
3876	explorer.exe
4016	spoolsv.exe
3364	spoolsv.exe
3696	spoolsv.exe
3400	spoolsv.exe
2020	spoolsv.exe
996	spoolsv.exe
3016	spoolsv.exe
4036	spoolsv.exe
3552	spoolsv.exe
2204	spoolsv.exe
1508	spoolsv.exe
4428	spoolsv.exe
2572	spoolsv.exe
1052	spoolsv.exe
1968	spoolsv.exe
448	spoolsv.exe
1084	spoolsv.exe
4288	spoolsv.exe
4904	spoolsv.exe
3672	spoolsv.exe
2668	spoolsv.exe
2764	spoolsv.exe
4572	spoolsv.exe
4348	spoolsv.exe
3928	spoolsv.exe
3408	spoolsv.exe
4472	spoolsv.exe
1352	spoolsv.exe
1376	spoolsv.exe
4916	spoolsv.exe
3004	spoolsv.exe
5112	explorer.exe
664	spoolsv.exe
1532	spoolsv.exe
4844	spoolsv.exe
2120	spoolsv.exe
1964	spoolsv.exe
5024	spoolsv.exe
748	explorer.exe
1220	spoolsv.exe
4240	spoolsv.exe
2444	spoolsv.exe
4232	spoolsv.exe
4992	spoolsv.exe
1484	spoolsv.exe
2300	spoolsv.exe
1640	explorer.exe
4012	spoolsv.exe
2544	spoolsv.exe
1312	spoolsv.exe
1544	spoolsv.exe
4364	spoolsv.exe
4600	spoolsv.exe
64	explorer.exe
3852	spoolsv.exe
4252	spoolsv.exe
4480	spoolsv.exe
2348	spoolsv.exe
1684	spoolsv.exe
4136	explorer.exe
3656	spoolsv.exe
4888	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 52 IoCs

Processes:

04a70f6fa253458940c857253aacbb84_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2928 set thread context of 1468	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
PID 1520 set thread context of 3876	1520	explorer.exe	explorer.exe
PID 4016 set thread context of 3004	4016	spoolsv.exe	spoolsv.exe
PID 3364 set thread context of 664	3364	spoolsv.exe	spoolsv.exe
PID 3696 set thread context of 1532	3696	spoolsv.exe	spoolsv.exe
PID 3400 set thread context of 4844	3400	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 1964	2020	spoolsv.exe	spoolsv.exe
PID 996 set thread context of 5024	996	spoolsv.exe	spoolsv.exe
PID 3016 set thread context of 1220	3016	spoolsv.exe	spoolsv.exe
PID 4036 set thread context of 4240	4036	spoolsv.exe	spoolsv.exe
PID 3552 set thread context of 2444	3552	spoolsv.exe	spoolsv.exe
PID 2204 set thread context of 4232	2204	spoolsv.exe	spoolsv.exe
PID 1508 set thread context of 1484	1508	spoolsv.exe	spoolsv.exe
PID 4428 set thread context of 2300	4428	spoolsv.exe	spoolsv.exe
PID 2572 set thread context of 4012	2572	spoolsv.exe	spoolsv.exe
PID 1052 set thread context of 1312	1052	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 1544	1968	spoolsv.exe	spoolsv.exe
PID 448 set thread context of 4364	448	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 4600	1084	spoolsv.exe	spoolsv.exe
PID 4288 set thread context of 4252	4288	spoolsv.exe	spoolsv.exe
PID 4904 set thread context of 4480	4904	spoolsv.exe	spoolsv.exe
PID 3672 set thread context of 2348	3672	spoolsv.exe	spoolsv.exe
PID 2668 set thread context of 3656	2668	spoolsv.exe	spoolsv.exe
PID 2764 set thread context of 4888	2764	spoolsv.exe	spoolsv.exe
PID 4572 set thread context of 3796	4572	spoolsv.exe	spoolsv.exe
PID 4348 set thread context of 4792	4348	spoolsv.exe	spoolsv.exe
PID 3928 set thread context of 3596	3928	spoolsv.exe	spoolsv.exe
PID 3408 set thread context of 5088	3408	spoolsv.exe	spoolsv.exe
PID 4472 set thread context of 3668	4472	spoolsv.exe	spoolsv.exe
PID 1352 set thread context of 4104	1352	spoolsv.exe	spoolsv.exe
PID 1376 set thread context of 4924	1376	spoolsv.exe	spoolsv.exe
PID 4916 set thread context of 60	4916	spoolsv.exe	spoolsv.exe
PID 5112 set thread context of 2540	5112	explorer.exe	explorer.exe
PID 2120 set thread context of 4644	2120	spoolsv.exe	spoolsv.exe
PID 748 set thread context of 3100	748	explorer.exe	explorer.exe
PID 4992 set thread context of 1148	4992	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 1104	1640	explorer.exe	explorer.exe
PID 2544 set thread context of 2136	2544	spoolsv.exe	spoolsv.exe
PID 64 set thread context of 4076	64	explorer.exe	explorer.exe
PID 3852 set thread context of 1804	3852	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 3320	1684	spoolsv.exe	spoolsv.exe
PID 4136 set thread context of 2404	4136	explorer.exe	explorer.exe
PID 5084 set thread context of 4492	5084	spoolsv.exe	spoolsv.exe
PID 5012 set thread context of 4308	5012	explorer.exe	explorer.exe
PID 3064 set thread context of 2568	3064	spoolsv.exe	spoolsv.exe
PID 3972 set thread context of 1812	3972	explorer.exe	explorer.exe
PID 4780 set thread context of 3600	4780	spoolsv.exe	spoolsv.exe
PID 4544 set thread context of 1860	4544	spoolsv.exe	spoolsv.exe
PID 4480 set thread context of 1568	4480	spoolsv.exe	spoolsv.exe
PID 3832 set thread context of 3540	3832	explorer.exe	explorer.exe
PID 1972 set thread context of 3756	1972	spoolsv.exe	spoolsv.exe
PID 1448 set thread context of 552	1448	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe04a70f6fa253458940c857253aacbb84_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exe04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

04a70f6fa253458940c857253aacbb84_JaffaCakes118.exeexplorer.exe

pid	process
1468	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
1468	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3876 explorer.exe

pid	process
3876	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1468	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
1468	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3004	spoolsv.exe
3004	spoolsv.exe
664	spoolsv.exe
664	spoolsv.exe
1532	spoolsv.exe
1532	spoolsv.exe
4844	spoolsv.exe
4844	spoolsv.exe
1964	spoolsv.exe
1964	spoolsv.exe
5024	spoolsv.exe
5024	spoolsv.exe
1220	spoolsv.exe
1220	spoolsv.exe
4240	spoolsv.exe
4240	spoolsv.exe
2444	spoolsv.exe
2444	spoolsv.exe
4232	spoolsv.exe
4232	spoolsv.exe
1484	spoolsv.exe
1484	spoolsv.exe
2300	spoolsv.exe
2300	spoolsv.exe
4012	spoolsv.exe
4012	spoolsv.exe
1312	spoolsv.exe
1312	spoolsv.exe
1544	spoolsv.exe
1544	spoolsv.exe
4364	spoolsv.exe
4364	spoolsv.exe
4600	spoolsv.exe
4600	spoolsv.exe
4252	spoolsv.exe
4252	spoolsv.exe
4480	spoolsv.exe
4480	spoolsv.exe
2348	spoolsv.exe
2348	spoolsv.exe
3656	spoolsv.exe
3656	spoolsv.exe
4888	spoolsv.exe
4888	spoolsv.exe
3796	spoolsv.exe
3796	spoolsv.exe
4792	spoolsv.exe
4792	spoolsv.exe
3596	spoolsv.exe
3596	spoolsv.exe
5088	spoolsv.exe
5088	spoolsv.exe
3668	spoolsv.exe
3668	spoolsv.exe
4104	spoolsv.exe
4104	spoolsv.exe
4924	spoolsv.exe
4924	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe04a70f6fa253458940c857253aacbb84_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2928 wrote to memory of 4200	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	splwow64.exe
PID 2928 wrote to memory of 4200	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	splwow64.exe
PID 2928 wrote to memory of 1468	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
PID 2928 wrote to memory of 1468	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
PID 2928 wrote to memory of 1468	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
PID 2928 wrote to memory of 1468	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
PID 2928 wrote to memory of 1468	2928	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
PID 1468 wrote to memory of 1520	1468	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	explorer.exe
PID 1468 wrote to memory of 1520	1468	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	explorer.exe
PID 1468 wrote to memory of 1520	1468	04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe	explorer.exe
PID 1520 wrote to memory of 3876	1520	explorer.exe	explorer.exe
PID 1520 wrote to memory of 3876	1520	explorer.exe	explorer.exe
PID 1520 wrote to memory of 3876	1520	explorer.exe	explorer.exe
PID 1520 wrote to memory of 3876	1520	explorer.exe	explorer.exe
PID 1520 wrote to memory of 3876	1520	explorer.exe	explorer.exe
PID 3876 wrote to memory of 4016	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4016	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4016	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3364	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3364	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3364	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3696	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3696	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3696	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3400	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3400	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3400	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2020	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2020	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2020	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 996	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 996	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 996	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3016	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3016	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3016	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4036	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4036	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4036	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3552	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3552	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 3552	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2204	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2204	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2204	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1508	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1508	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1508	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4428	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4428	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 4428	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2572	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2572	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 2572	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1052	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1052	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1052	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1968	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1968	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1968	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 448	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 448	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 448	3876	explorer.exe	spoolsv.exe
PID 3876 wrote to memory of 1084	3876	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\04a70f6fa253458940c857253aacbb84_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1468
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5112
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3364
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2020
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:748
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4036
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1640
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:64
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4136
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5012
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3408
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1376
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3972
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:60
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3832
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2120
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4644
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:392
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4992
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1148
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2544
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2136
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1804
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1684
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3320
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4492
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4780
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4544
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4480
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1568
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1520
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3312
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1296
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
e8786022dce2671d56de03e1a249bce2

SHA1
8457a21ed73feb3bec793dbbed92f1dbcadd3644

SHA256
85bba2004a0c0b916101423a36009b852c3dcce3a0bea770b38e0b19901c512e

SHA512
17320a9fda4f649c76fe4474deb06053e8012c7b269b6b6a8d6aab24f6cffd153e74585bd557653eaac8af9327054a8388fdb6bf4668bf374b6ef1b3bd2e0477

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
2a948ec2c0de27f023884738ab51f9f0

SHA1
125ce8ffec07734458bd2e4f0bdf8b5b47439105

SHA256
039be8f8feb8196676ce0c3b5507962f76f1bacd70bb1deef644cdee41223b17

SHA512
d696d5eacc8de072aecba08d7505b54dd036d623dce9989177d7546c566dd0800d1c182110af854833cac2a5fadd670acab1f6cb669c96c1e7b386bc3527bb24

Download Submit
memory/60-3540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/448-1812-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/552-5104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/664-1959-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/664-1960-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/996-1123-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1052-1662-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1084-1813-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1104-4053-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-3997-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-3900-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-5396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-2469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-2300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-1470-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1520-79-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1520-84-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1532-1969-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-2481-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-5073-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-4396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-4820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-4932-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-2149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-1663-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2020-1122-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2136-4179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-1272-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2300-2555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-2361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-2788-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-4526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-2199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-3397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-4809-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-1661-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2668-1968-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2928-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2928-28-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2928-0-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2928-34-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3004-2144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-1948-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-1124-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3100-3755-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-5260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-5374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3320-4648-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3320-4520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3364-949-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3364-1956-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3400-951-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3400-1978-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3552-1271-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3596-2958-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-3113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-4829-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3656-2806-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-1957-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3696-950-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3696-1971-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3756-5091-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3756-5096-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-2826-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-83-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-782-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-5405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-2372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-2368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-783-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4016-1949-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4036-1270-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4076-4287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-2984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-2212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-2208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-2186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-2189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-2660-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-1814-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4308-4801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-1471-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4480-2671-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-4984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-2711-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-2573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-3745-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-3878-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-2837-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-2816-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-1947-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4924-3141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-2336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-2168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-2967-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download